Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
OS X Businesses Operating Systems Apple

Apple Submits Mac OS X For Security Evaluation 51

Posted by pudge from the something-about-being-powered-off-and-buried-underground dept.
ranger8x writes "Apple has submitted Mac OS X and Mac OS X Server to the U.S. government's National Information Assurance Partnership to evaluate various security features. It seems Apple is looking for some respect by the government, and to 'get more exposure.'"
This discussion has been archived. No new comments can be posted.

Apple Submits Mac OS X For Security Evaluation More

Apple Submits Mac OS X For Security Evaluation

Comments Filter:

  • Not look for holes (Score:5, Informative)

    by gbooker ( 60148 ) on Wednesday July 03, 2002 @04:19PM (#3817238) Homepage Journal
    The testing doesn't look for holes in the operating system, but rather evaluates what security features are built into it.

    I guess they needed this so that Windows could be used.

    If that is the case, OS X should not have any trouble at all. Let's look at some of the security features:
    • Root disabled by default
    • SSH remote login
    • Telnet not easy to turn on (should use SSH instead)
    • Can disable auto login
    • Any major system changes require authentication even if the current user is an admin
    • Built in Firewall
    I know this is a short list, but it demonstrates the point well. OS X has many security features that are inherant of a unix based OS. It will be nice to see OS X more accepted amoung the government.

  • A good move. (Score:3, Insightful)

    by jellomizer ( 103300 ) on Wednesday July 03, 2002 @04:20PM (#3817259)
    If apple gets good marks on its security audit. And MS dosent do as well. It is an other thing to stick in MS face. And a way to prove that their OS is better designed then MSes stuff. Of course if it fails (which I think is unlikly) then Apple could be in a lot of trouble.
    • According to what I saw, MS has put Windows 2000 up for EAL4 evaluation, with some funky exeptions. Apple is going for EAL3 evaluation first and probably did a lot of internal tests first.

      Win2000 has been in the lab for a LONG time now, and still isn't certified. Is Microsoft playing the "submitted for" advertising game, hoping that it can run out the clock yet again?

  • gov't: a good market for apple (Score:3, Interesting)

    by larry bagina ( 561269 ) on Wednesday July 03, 2002 @04:21PM (#3817262) Journal
    The Gov't could be a good market for apple,
    particularly now that they use OS X
    Gov't workers are getting tired of code red, nimda, etc, which hilite how insecure Windows is when not properly configured.
    Even though it would require new hardware, OS X has an advantage over linux due to native MS Office support, as well as more commercial applications.
    • get a grip. Can you REALLY imagine a govt. dept. buying YOU a PC with a transparent keyboard? irrespective of how good it is, people ALWAYS see good design as frivolous. My IT mangler always goes for coal-black IBM shitstations whether they're appropriate or not. Ooh! a million quid for a rackmount case? certainly sir!
      • I would expect that as Apple's market shifts, its industrial design will shift too. Take a look at XServe, all brushed metal and easy to look at rack mount front plate and certainly no translucent plastic because it would be a negative for the market.

        In fact, if there is any type of clone agreement that Steve Jobs might go for it would be a nice design shop that would simply design different cases in smaller runs than Apple would be comfortable doing. Imagine a 'Red Delicious, Inc.' that would simply design cases that have the same mount points as current models (and similar or superior cooling values) and put current model guts in them using channels that Apple is either uncomfortable using or is simply not feasible at the unit runs Apple would have to have.

      • I don't know... I think that apple's pro line is moving in the right direction. The XServe and the TiBook look pretty gov-friendly already. Sure, you'd have a hard time slipping a flower power imac in, but Apple has left the candy colors behind it, and good riddance I say.

        Imagine a flat panel imac with the entire case looking like its brushed metal underside instead of that cheap looking whiter-than-white plastic. I think those would fit in well in a government install. All net-booting Jaguar, too, for easy administration.

        So yeah, while your IT mangler might not be inclined toward Apple, sometimes these decisions come from on high, with a bit of boot to back them up. Doncha think Tony Blair would just love to have some showpiece ministry completely kitted out with super-stylish yet oh-so practical imac workstations? Roll cameras, it's new labour, switching and thinking different.

  • Hah!

    Well, I for one would prefer to run an enterprise system on top of a MacOS X Server with XServe than on top a Dell with Windows 2000. My day job has me on Windows all the time but on my own time I use an iBook with MacOS X and a FreeBSD server on a PC. From what I have seen with MacOS X security, I think Apple will get great marks.

    And hopefully they will show they do not need some Palladium system to secure their OS. That is just silliness by Microsoft. They seem to be blaming the hardware for the OS being so insecure all this time.

  • Smart Move (Score:5, Insightful)

    by toupsie ( 88295 ) on Wednesday July 03, 2002 @04:27PM (#3817310) Homepage
    Apple has been really turning around its marketing in the last few months. More agressive. I think when Steve Jobs came back to Apple, he saw that he needed to cement his base customers like a politician does when they start a political campaign. Preach to the converted, assure them of their choice and then reach out to the rest. Apple first started giving historical Mac users something to crow about -- Mac OS X, Dual G4s (proud owner) and lately, the iPod. Now Apple is gunning for the Windows user in its switch campaign [apple.com].

    Now with this move, Jobs is deftly putting a thumb in the eye of Gates. Microsoft talks about 2006 for security, Apple says, "Hey, why not today?". Having a respected third party audit will ring loud against Microsoft's tight lipped security policy. Apple already exposes the base source code for Mac OS X called Darwin to anyone that wants to take the time to download it.

    I had something else important to point out but the FedEx guy just showed up with Warcraft III. I am sure you will understand...

  • What OS X needs for better security (Score:5, Insightful)

    by EccentricAnomaly ( 451326 ) on Wednesday July 03, 2002 @04:53PM (#3817518) Homepage
    OS X has good security, but it has lots of room for improvement. It needs:
    • longer than 8 character passwords
    • checking for good passwords, password expiration, etc.
    • let the user turn off the option where you can login with "John Doe" instead of your username
    • let the user turn off the 'helpful' feature that puts the last user's name on the login screen
    • put a checkbox in the installation process to install a system with maximum security options... stuff like no list of users on the login screen and no web server installed at all, etc.
    Just a few ideas...
    • excellent points, especially the username list & 8 char limit.

      just a comment: the default install includes various servers, yet they're all disabled by default. only after a completed install can those services be enabled.
      • yeah, but an organization might want to remove the web servers on their machines so that some user doesn't set up a web server or some other service and create a possible security hole.

        I guess this wouldn't be a problem if users could get by without administrator access, but Mac vendors don't seem to understand that software installs should rarely require admin password. Why does internet explorer require an administrator password to install?
        • What? I should hope that any install which adds or changes system-wide libraries requires an admin password. Applications that are a self-contained bundle (e.g. Mozilla) don't require any password (or even installer) because an admin user is in group 'admin' and is allowed to write to /Applications for example.

          The reason IE requires a password to install is because it makes changes to directories that a regular user doesn't have permission to change . This is a good practice. Otherwise, what's to stop some dumbass from tearing out critical config files or libraries?
          • But why does IE need to change system-wide libraries?? It's just a web browser! There's no good reason for a web browser to mess with my system libraries. Just look at Omniweb, it plays nice.

            Good OS X apps put everything in their own ".app" directory so you can install and uninstall the app easily.

            You don't even need to be in the admin group to install software on OS X... You can create an "~/Applications" directory in your user directory and install software there. Well written apps function just as well from ~/Applications as /Applications.

            • I agree 100%. A well-behaved OS X app should be self-contained, write its prefs to ~/Library/Preferences, etc, etc...

              I think the reason IE doesn't do this is laziness on the part of the developers... It's an app ported (carbonized) from OS 9. OS 9 apps had free reign to run roughshod over the directory tree. It was (and is) bad practice, but there was nothing stopping you. They just haven't bothered to make it self-contained for whatever reason.
              • You also have the option of declining an install. Any app that requests admin auth can be declined by virtue of the process.

                Don't like IE?... use Mozilla! which so far has got to be the best user experience in a browser I've ever had (flash performance or lack thereof not being a big issue... try Chimera's latest builds if you want to see Windows speed flash on OS X).

          • I should clarify... I don't mean that installers should access these directories and file without asking for the administrator password, I mean that installers shouldn't access these directories at all. 90% of OS X installers that ask for an admin password shouldn't be doing whatever they are doing that needs the admin password.

            If there's a danger of regular user mucking up some critical config file or library why should so many installers be messing with these config files and libraries??
    • let the user turn off the 'helpful' feature that puts the last user's name on the login screen

      You can do this:

      System Preferences->Login->Login Window->Display Login Window as->Name and password entry fields

      This displays a blank name field instead of the picture/name combo. I don't at work since the PC admin has an account on this box too, but then, he rarely has to mess with it so he's apt to forget it. ;-)
    • I don't like password expiration. I have a good unique password for each machine already, never been guessed, why change it unless my machine has been compromised? Password expiration is a bad idea that encourages people to make bad password choices since their new passwords are harder to remember.

      Great point about removing the last-person-who-logged-in listing. When I logout, I'm almost never the next person to log back in! Why would I logout if I were? Get rid of that.

      Web servers -- Apache is installed by default, but disabled, and only admins can turn it on (presumably admins can be trusted not to screw up, security-wise).

      An improvement I'd like: MacOS X has ipfw built-in but disabled, and while apps like Brickhouse are out there to interface with it, I'd like to see a built in OS tool. Maybe in Jaguar? And where's my built in GPG/PGP with GUI? This is Apple, right? Gimme my GUI!

      • http://www.sente.ch/software/GPGMail/ is probably your best front end for GPG right now. Given the limitations of encryption in various countries, I would guess that GPG would not be available in the default install until a lot more countries get their act together and remove encryption restrictions.

        Then again, I'd be much more interested in a Fink GUI (which would get me GPG et al) first.
    • Password expiration? Having to change each month, without reusing any passwords? Uh-uh, not on MY home machine! Perhaps as an option that's off by default.
    • put a checkbox in the installation process to install a system with maximum security options... stuff like no list of users on the login screen and no web server installed at all, etc.

      I should clarify here... I mean give the guy administering a group of machines a simple little checkbox that doesn't even install Apache rather than just disabling it. This is so that a user with administrator password doesn't turn on the web server by clicking the "enable web sharing" box but has to do a little bit of extra work so as to ensure that the user really knows what they are doing.

      And I'd like to be able to set a checkbox at instillation time that locks down all of the little things that you have to remember to lock down after the install, like disabling the list of the users on a system.

      Perhaps, the best way to do this stuff is just have the sysadmins burn their own CD with their own custom OS X install.

      Also, i'm not talking about security options for the average home user. I think Apple has great security for home users. I'm talking about stuff that you want for macs running at atomicsecrets.gov.

    • Even 'mere' 8 character passwords are beyond the current ability of a brute force attack. Assuming the user keeps to upper/lower case characters (no special characters) there are still 52*52*52*etc, 53,459,728,531,456 possible combinations.
  • If Apple wants their computer and OS to pass the testing I think they should get the upgrade vulnerability patched pretty soon.

Slashdot Top Deals

The rule on staying alive as a program manager is to give 'em a number or give 'em a date, but never give 'em both at once.

Close