Do Macs Have an Edge Against APTs? 210
itwbennett writes "Macs aren't being hit with advanced persistent threat (APT) attacks, but that doesn't mean they're invulnerable, say researchers at iSec Partners. Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of an APT attack — and compared how the Mac would do versus Windows 7. Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story. 'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'"
Here We Go Again ... (Score:3, Insightful)
Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.
How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.
Re: (Score:2, Insightful)
Until the Microsoft propaganda machine stops pumping them out, I suppose.
Re:Here We Go Again ... (Score:4, Insightful)
The article seems unlikely to be MS propaganda. Note that the writer quotes that one investigator (Rob Lee) as saying that he's never seen a compromised Mac, and he advises his clients to replace their compromised MS-Windows machines with Macs to prevent re-infection. Would a MS-paid writer be likely to put such suggestions in their article?
This does bring up a curious aspect of the "logic" behind all the claims that poor little MS is being picked on because it's so popular. If this were true, you'd think that a sensible person would simply refuse to buy anything with a MS logo. True, if you buy a Mac or Ubuntu or whatever rather than Windows, you machine might be attacked sometime in the remote future. But, since we "know" that no commercial systems are totally secure, it would make sense to choose a system that might be attacked in the far future over one that you know will be attacked repeatedly on the first day and probably compromised in the near future. You don't need to know the technical reason for this; you just need to be sensible enough to trade likely near-future failures for possible far-future failures.
So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda. I wouldn't think MS's marketers would be so stupid as to tell everyone such a good reason to avoid their brand. I wouldn't think a Windows fanboy would say this either, because it would amount to admitting that they intentionally bought a machine because it was highly likely to be compromised. But there doesn't seem to be any good reason for other vendors to make this suggestion, either, since it amounts to saying that their security isn't any better than Microsoft's. So who is really behind this bizarre bit of logic? Who profits from it?
Re:Here We Go Again ... (Score:5, Insightful)
I think russotto wasn't calling TFA Microsoft propaganda, but rather calling WrongSizeGlass' "Macs are only secure because they're less popular" comment Microsoft propaganda. Which it is, of course. Any argument that relies on security-through-obscurity is wrong, no matter how you try to dress it up. WrongSizeGlass and the zillion other posters who repeat this tired canard may not realize they're propagandizing for Microsoft, but that's what they're doing, sure enough. They should at least demand payment for their services.
Re: (Score:2)
Combine these two, and the conclusion that "Macs are only secure because they are less popular" is most certainly true.
Going further, Apple is also incapable of protecting iOS in spite of their extensive efforts to lock it down, that it too is vulnerable to drive-byes that will entirely
Re: (Score:2)
Microsoft gets attacked because the Line of Business applications run on Windows. How many large accounting systems, ERP systems, etc. run on OSX? Know anyone running a factory on OSX? How about a firm doing R&D and drafting blueprints and other technical documents on OSX?
OSX is not a target because there are very few people running OSX who have access to the systems with information that dedicated, skilled attackers want to get to. With Apple's incessant focus on the consumer space, little is likel
Re:Here We Go Again ... (Score:5, Insightful)
OSX is not a target because there are very few people running OSX who have access to the systems with information that dedicated, skilled attackers want to get to.
That's simply not true. For example, OS X is very popular among scientists and engineers at many of the national labs.
Re: (Score:2)
To be fair, Lockheed-Martin was hacked because they depended on a 3rd party (RSA) for a critical part of their security infrastructure.
When RSA subsequently had a massive data compromise, instead of letting their customers know what happened, they downplayed the ramifications of the breach. And RSA just won a pwnie [pwnies.com] for their efforts.
Not that that changes your response in any significant way.
Re: (Score:2)
It's a fanboy response that goes right back to the early MSDOS days. It is of course currently irrelevant considering the number of other devices on the internet now. All those routers, modems, webservers etc out there are also popular and available 24/7 in hundreds of thousands per model or OS version to provide a potential botnet beyond the wildest dreams of a cracker - yet malware is currently only a Microsoft platform problem.
Re: (Score:2)
The numbers don't work out as well as you think. If you've got a pool of, say, a half million Linksys routers to target, some percentage of which are vulnerable, or a pool of 500m installed XP systems, some percentage of which are vulnerable, you're a lot better off focusing on XP than a Linksys router. (And the numbers for any given model of a router aren't anywhere near that when you count firmware and hardware revision changes.)
Plus, if you target a router (a $50 device with a slow CPU) you have high odd
Re: (Score:2)
Clueless people should not open their mouths about the very subjects that they are clueless about.
Re: (Score:2)
Routers, webservers, etc don't have a human driving them. Think about it.
Re: (Score:2)
You're puzzled who might be behind the propoganda because, perhaps, its not propoganda.
The fact of the matter is, if you are creating a targeted attack on a system, you don't care in the slightest what platform its on -- you are going to hand craft the attack for your specific target using no matter what vectors you have to. Look at Stuxnet as an example.
If you are creating a generic attack, where the value is in numbers, not in a specific target (stealing people's financial information, creating a spambot
Re: (Score:3)
Hmmm...
1) Hacker sets up server with a big trap door
2) Hacker takes the machine he wants to win and drives the browser through the big trap door
3) Hacker willingly executes the instructions he set up in the big trap door
4) Hacker wins a new MacBook Pro
That doesn't sound like a random attack in the wild to me. Compare that to MS servers sitting in a room somewhere minding their own business with absolutely no human interaction. They get hacked if you just wait long enough.
"Click Here to See the Dancing Monke
Re: (Score:2)
If you were doing it would you go after the Crap $800 dell running windows or the juicy $1600 Macbook Pro.
Get a clue as to how Pwn2Own works.
Re: (Score:2)
So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda
Might have something to do with the fact that the first machine to fall at Pwn2Own since its inception in 2007 has been a Mac, every time. (2011 Pwn2Own writeup) [arstechnica.com]
The magic word is "Zero-Day". If you find 10 exploits for Windows a month before Pwn2Own, chances are high every single one of them have been exploited by somebody else the day of the contest - meaning you can't win with them. While Charlie Miller will dig out something he has found for last years contest, but nobody else did in the meantime.
So yeah, the fact that Macs keep "winning" Pwn2Own proves that Windows is attacked more. Not that its safer.
Re: (Score:2)
I don't know whats worse. Microsoft's propaganda machine or Apple's "sweep it under the carpet" regime.
Re: (Score:2)
Re: (Score:2)
Yeah, sure, MacDefender was a big nasty thing that required you to install it yourself, ooooh scary...
And yes, it required several "ok" clicks as well as the user inputting his/her admin password for the machine. Classic trojan behavior.
I actually stumbled upon a MacDefender "downloader site", do you know what it did? It showed a website that looked vaguely like a Finder window with a small "ZOMG VIRUSESSES!!!!11one" popup in the middle while it forced a download of the installer. Had I then actually run
Re: (Score:3, Interesting)
Apparently you've never read about James Plamondon and his "Technical Evangelists" [groklaw.net]. The Combs-3096.pdf is a collection of his training manuals and describes "The Slog", and a real jewel you'll love called "The Stacked Panel". Then, I suppose, you've forgotten about the stuffed ISO committees, or the scam which gave expensive laptops to journalists in exchange for favorable stories about VISTA?
When his "work" was revealed in the Combs vs Microsoft trial Plamondon did a Mea Culpa, and now decries the tacti
Re:Here We Go Again ... (Score:4, Insightful)
Do you have any evidence to suggest that Microsoft is behind this story in some way? Any at all?
Apparently you've never read about James Plamondon and his "Technical Evangelists".
So the answer is no then.
Surely attempting to demean a study and its researchers by alluding to bad things done by a completely separate group of individuals (without any evidence linking the two) is exactly the kind of behaviour (of Plamondon) that you are decrying. The fact that Microsoft had technical evangelists does not mean that the opposition's products are without criticism, nor that such criticism will be sponsored by Microsoft. I have yet to see any indication that Robert McMillan or iSec Partners are shills for any company.
Re: (Score:2)
Microsoft has some very dirty laundry in this area, and the GP just wanted to point out the similarities between those cases, and this specific case.
That's my objective reading of this thread, of course, you are free to add your own bias.
Re: (Score:2)
That's my objective reading of this thread, of course, you are free to add your own bias.
I'm going to assume that this is a joke, although on Slashdot you can never quite tell!
It would make a good signature, though!
Re: (Score:2)
Re: (Score:2)
Tell you what, why don't you google it and provide us with the appropriate link showing a financial link since you are the one making the allegation. Repeating press releases doesn't count, because that is why companies write press releases. If that is corruption, then all companies are doing it wrong.
Re: (Score:2)
The story came out a few hours ago and you want documented evidence now?
Microsoft has a loooong history of astroturfing, starting fake grass roots campaigns, etc.
OTOH, yes. There's a reason Macs don't have viruses and it's not because Macs are more secure, it's because there's no need for them in botnets yet (there's no shortage of Windows machines in sight so why go to the bother of coding for Mac...?)
Re: (Score:2)
This is certainly not enough to get a conviction in a court of law, but it's definitely "evidence" Let's have a look at one of the sentences.
Re: (Score:3, Insightful)
Wash. Rinse Repeat. Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly.
I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.
Re: (Score:2)
maybe because at the time, these thousands were a very large slice of a much smaller pie ?
Re: (Score:3, Interesting)
I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.
So you reason that malware writers would do something because 20 years ago in a very different environment for different reasons people did something? The comparison is absurd.
Firstly 20 years ago malware looked different and had completely different goals. The vast majority of them were written for comical / destructive purposes not to make money. These days malware is a business and the ultimate goal is not to have malware which affects the user experience but rather is invisible to the user meanwhile exp
Re: (Score:2)
Malware writers would quite happily release malware for OSX if they could make it work
History disagrees.
In the first [Pwn2Own] contest [wikipedia.org], Dino A. Dai Zovi and Shane Macaulay worked together to take down the first MacBook Pro.[5] On the second day of the conference Macauley sent an email which redirected the user to a malicious site. The site was able to infect the machine with a client-side Javascript vulnerability which allowed arbitrary command execution.[6]
Each subsequent year isnt much better.
And why so smug anyways, Safari is already exploited on windows, as are Firefox, Quicktime, Java, Acrobat reader, and Flash-- all of which are usually installed and vulnerable on Macs (unless you think that PDFs somehow arent as dangerous on OSX).
Wasnt there a story some months back about a PDF that could launch arbitrary code on all 3 common platforms (OSX, Linux, Windows)? Yea, enjoy your smugness while it lasts.
Re: (Score:2)
Talking of Mr. Zovi, here's what he says about Lion [nytimes.com] :
"[...] now, they are also more secure than PCs, thanks to several crucial security improvements in the operating system itself, Mac OS X 10.7 So says Dino A. Dai Zovi, an independent security consultant. Those operating system features now put Lion ahead of Windows 7, the latest version Microsoft’s operating system, whose leadership was forged from the fire of relentless attacks by hackers and malware writers, he says."
Re: (Score:2)
Re: (Score:2)
do mac users use adobe reader instead of preview?
I've never seen one who does; preview's a decent PDF viewer (and does other things too such as image viewing). I don't know if it supports all the features of Acrobat Reader, but being without the "run arbitrary javascript without any attempt at safety" feature is Just Fine With Me.
Re: (Score:2)
Wasnt there a story some months back about a PDF that could launch arbitrary code on all 3 common platforms (OSX, Linux, Windows)?
Only if you used Adobe's PDF reader. Given its security track record, you'd have to be crazy to do so. On OS X, the default PDF reader is Preview, which ships with the OS. On *NIX, there's typically some xpdf derivative like Evince. Windows is the only platform where the majority of users put up with Adobe Reader for PDFs.
It's like saying that a vulnerability in bash works on Windows, Linux, and OS X. Sure, you can run bash on Windows - I did for a while - but it's not something that most users do.
Re: (Score:2)
Only if you used Adobe's PDF reader. Given its security track record, you'd have to be crazy to do so. On OS X, the default PDF reader is Preview, which ships with the OS. On *NIX, there's typically some xpdf derivative like Evince. Windows is the only platform where the majority of users put up with Adobe Reader for PDFs.
...and here's where the "monopoly" card bites Microsoft. They can't include a (different) PDF reader with the OS, because if they did, Adobe would sue them for anti-competitive behavior.
Hell, the threat of anti-competitive lawsuits from Symantec keep Microsoft from shipping their own (already written) anti-virus with the OS!
Re: (Score:2)
I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago
Invisible/deceptive malware is directly against the Apple Human Interface design Guidelines. And developers targetting OS X are extremely respectful of Apple's application design rules.
Re: (Score:2)
And malware for Mac, I had to remove some in 1990 and 1991.
Re: (Score:2)
You are implying that Macs must be more secure then, but that doesn't stack up either. Most viruses for Windows are trojans because Windows 7 is well protected against drive-by infections, and there are several browsers to contend with (IE7/8/9, Firefox 3/4, Chrome, Safari).
If they can trick a Windows user into clicking through all the warnings and entering their password to install some malware then they can trick a Mac user too. Your argument about Amiga and Atari viruses misses an important point: Back t
Re: (Score:3, Insightful)
Two points:
1) That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux [osnews.com] viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.
2) Blaming Windows users f
Re:Here We Go Again ... (Score:5, Insightful)
While I agree with your conclusion (that Windows is a less safe OS than Linux), your first point is completely illogical. The number of viruses released in a given year can be a function of market share without being a 1:1 function of market share. Criminals will always target the OS with the largest numbers of technically unsavvy users. Why double your efforts to increase your pool of potential victims by only ~10%?
Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.
Re:Here We Go Again ... (Score:5, Interesting)
Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.
The guy who won all those Pwn2Own contest says that OSX Lion's security [nytimes.com] is now better than Windows 7.
Re: (Score:2)
Re: (Score:2)
The work needed to target MacOS is probably more than 2x because there are still plenty of XP machines out there which are an easy target compared to Vista and 7. IE9 doesn't support XP either, but is a critical update for Vista and 7 users.
One other point people seem to be missing is that the majority of Windows viruses are trojans, i.e. they trick the user into installing them. There is no reason why that would be less effective on Mac users.
Re: (Score:2)
Re: (Score:2)
That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux [osnews.com] viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.
Logic fail. If there is an 80% chance that you will make $100 by wearing blue on mondays, and this is public knowledge, what percentage of people do you think will wear blue on mondays? 80%, or all of them?
Blaming Windows users for security holes that Microsoft keeps secret from them is worse than obscene.
And trying to pretend that most exploits arent through cross platform browser plugins is just ignorant.
Those inflated virus numbers probably also include the fact that viruses are recompiled and repacked daily-- and thus need a different virus definition to detect. How, you might ask, can they afford
Re: (Score:2)
I don't care how many pieces of malware are created aimed at Windows, Linux, MacOS or other flavours of Unix...the result that speaks for itself is that every year that they have had a hacker competition to see who can compromise and root a system where they compared Windows, Linux and MacOS, each of which has been secured by native experts...Windows has *always* been compromised, and I think it was always the *first* one compromised. MacOS, when it was compromised was second, and Linux was either the last
Re: (Score:2)
One correction...one year, the Mac was compromised first.
Re: (Score:2)
Actually, *every* year, the Mac was compromised first.
Re: (Score:2)
"Only 19% of Internet web servers are running Windows but they are the source of essentially all malware."
Absolute rubbish - JavaScript and iframe infections (often used to serve drive-by downloads of malware) affect all web servers, and often only require a stolen FTP password to work, or a PHP app with a security hole. The majority of web servers are still Linux, and that's where the the majority of web app served malware is.
This is often not Linux's fault - if the user has an FTP password saved on thei
Re: (Score:2)
As long as the user has no way to quickly and safely run something in a sandbox, this will continue happening.
IMHO, Once you give them the ability to run programs in a default deny environment, users can manage things fairly well.
See also: http://www.ranum.com/security/computer_security/editorials/dumb/ [ranum.com]
Re: (Score:2)
Wash. Rinse Repeat. Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable. How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.
You appear to have missed the bit where TFA was almost the exact opposite of the usual:
According to the security researchers quoted, OSX was essentially never the initial foothold/desktop attack; but was judged to be as weak, or weaker, than alternatives when it came to the post-foothold internal attack phase.
Most Mac/Security stories are an argument between the "It's just obscure" camp and the "superior by design" camp. This article asserts "Obscure(enough to rarely/never be the social engineering in
Re: (Score:2)
If the user is willing to do anything the app or websites tells them to, well, you can't protect them.
Reading up on Pwn2Own results, and reading the security update notes on major browsers / flash / acrobat would prove really informative. Most of the viruses Ive seen are not from incompetent users.
Re: (Score:2)
Reading up on Pwn2Own results, and reading the security update notes on major browsers / flash / acrobat would prove really informative. Most of the viruses Ive seen are not from incompetent users.
In Lion all those are now separated into independent processes and sandboxed. Should make things a lot more secure.
Re: (Score:2)
Reading up on Pwn2Own results, and reading the security update notes on major browsers / flash / acrobat would prove really informative. Most of the viruses Ive seen are not from incompetent users.
In Lion all those are now separated into independent processes and sandboxed. Should make things a lot more secure.
Ought to make Safari more stable too, since the suck that is flash will be less coupled to the rest of the browser. Even without the improvement in security, that's still a Good Thing.
Re: (Score:2)
Because of... wait for it... market share.
Re: (Score:2)
Try a contest where the first person to break any platform gets to choose which hardware he/she wins, and see if it still falls first. Just saying.
Re: (Score:3)
Try a contest where the first person to break *any* system gets $10.000 or $15.000. Then you have pwn2own. And then you'll see that the attackers attack the system they believe most vulnerable first. Or they risk someone else does it. What you'd rather have, a MB pro + $5000 or a HP/Dell + $15.000?
Re: (Score:2)
Try a contest where the first person to break *any* system gets $10.000 or $15.000. Then you have pwn2own.
Try a contest where you can crack a system with an exploit that isn't 0day. Then you'd have something more real world - but not Pwn2Own.
Re: (Score:2)
Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.
Macs presented a challenge, and are highly desirable to own, so it's no surprise that security researchers concentrated efforts on pwn1ng them, so they could walk away with the coolest toy participating in Pwn2own
In other words... it's a contest that tends to select a predictable result every time: whichever the platform is most desirable hardware, as far as the participants are concerned.
So the contest wa
Re: (Score:2)
You get $10k per target, which substantially exceeds the machine price, so while it's not perfectly objective it's not that far out of whack.
I do find this argument funny because it's essentially identical to the argument "Windows Exploits are more common because so many more people have Windows and therefore it's more rewarding to exploit Windows".
Re: (Score:2)
Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.
That's because you need 0-days to win Pwn2Own. One that hasn't been discovered (and exploited) yet by somebody else before the day of Pwn2Own.
Re: (Score:2)
And also the first to be attacked. The contest isn't a simultaneous attack on all platforms, it is done sequentially with OS X being the first in line (and thus the first to fall). It's like claiming Joe is more bullet-proof than Jim because the gunman shot Jim first...
Article is crap (Score:5, Insightful)
"For example, Mac's Keychain software is vulnerable to what's known as a brute-force attack, he said."
Idiot alert, article is crap.
Re:Article is crap (Score:5, Informative)
The NSA's guide to security Apples talks about how to make the keychain reasonably secure here [nsa.gov]. They notably, do not recommend turning it off or using third party software.
Re: (Score:2)
Re:Article is crap (Score:4, Informative)
Yep, that one is copyright Apple. Here [nsa.gov] is NSA's guide to hardening OS X. It does not recommend turning off keychain (though there are several other items it does recommend turning off).
Re: (Score:2)
Re: (Score:2)
It does not mention keychain. I see that as an oversight - not a recommendation of its security.
Did you just imply that the National Security Agency is so bad at its job that when it examines an operating system for vulnerabilities, and writes up instructions on hardening it (which will presumably be used by other government agencies), key things are overlooked?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Totally.
Re: (Score:3)
Agreed. If they're talking about an authentication model in the context of mDNS, that's prima facie evidence that they don't know the first thing about Mac OS X... or mDNS. mDNS is:
And they seem to think Kerberos is insecure. Kerberos is, of course:
An
Re: (Score:2)
My problem is that the article makes it sound like they've found lots of huge flaws in the way Mac OS X handles passwords, yet it doesn't give even one specific example. It also talks about authentication policies for services that don't even involve authentication. And then it implies that all of these supposed flaws are somehow specific to Mac OS X Server, when none of the things listed are specific to the Server version of Mac OS X (or even specific to Mac OS X, with the exception of Apple Remote Deskt
Re: (Score:2)
Re: (Score:2)
Try the summary (Score:2)
Can someone explain what apt is, other than the package manager for ubuntu?
The package manager for Debian.
But seriously, if you read the summary, you see that it's referring to advanced persistent threats [wikipedia.org].
Sysadmin decides. (Score:5, Insightful)
Mac server looked after by bad sysadmin == insecure.
As always, it's up to the people running it. Is any OS inherently secure, no, definitely not when there is a complete idiot looking after it.
Re: (Score:2)
Windows server looked after by a good sysadmin == secure.
Mac server looked after by bad sysadmin == insecure.
As always, it's up to the people running it. Is any OS inherently secure, no, definitely not when there is a complete idiot looking after it.
Yes, of course. But the relevant question for businesses deciding what kind of server setup to use is, "If this system is looked after by an average sysadmin, how secure will it be relative to our other choices?" Because in real life, no matter how much you tell yourself you only hire top-notch people (or, if you're the sysadmin, tell yourself you're top-notch) most servers and networks are going to have admins who are neither the best nor the worst, but somewhere in the middle.
Re: (Score:2)
Yes, of course. But the relevant question for businesses deciding what kind of server setup to use is,
Security is a conscious process, it doesn't matter what OS you use as long as that process is kept conscious. Contrary to what Apple and the Security Industry say, no software is inherently secure or more secure then the others, security is entirely dependent on your (the sysadmins) procedures and awareness.
As for which OS for business, that's a decision to be made according to the needs of the business.
"If this system is looked after by an average sysadmin, how secure will it be relative to our other choices?"
There is no such thing as an average sysadmin.
Everyone has different strengths and weaknesses, the
Re: (Score:2)
There is no such thing as an average sysadmin.
Right. Every sysadmin is a special snowflake. [rolls eyes]
Everyone has different strengths and weaknesses, the good sysadmins identify their own weaknesses. The poor syadmins ignore them. Good sysadmins adapt to changing environments, poor sysadmins change environments to suit them.
All of which is true, none of which changes the fact that in every job, there a few people who are very good at the job, a few who are very bad, and a whole bunch in the middle. Sysadmin work isn't so different from any other technical job as to change this.
Re: (Score:2)
You're very good at missing the point.
There are no average sysadmins because you cannot define an average due to the huge number of variables involved.
I'm sorry for not pointing that out, I thought you'd be able to figure it out on your own from the other parts of my post.
Re: (Score:2)
I get your point fine; I just disagree with it. Yes, sysadmin work is a very large field with specialized skillsets. So are programming, and medicine, and all kinds of other technical fields. Does this mean there's no such thing as an average programmer, or average physician, or what-have-you? I maintain that the traits which make a good X are to be found in a broad range among people who choose any of these careers, with most X's falling in the middle of that range. Yeah, in your example, if you decid
Re: (Score:2)
Yes. Of course, stastically, the good sysadmin is more likely than market share would suggest to be running the mac server, because good sysadmins have a tendency to avoid windows wherever possible...
Re: (Score:2)
Yes. Of course, stastically, the good sysadmin is more likely than market share would suggest to be running the mac server, because good sysadmins have a tendency to avoid windows wherever possible...
A good sysadmin can make anything secure and usable. They literally turn lead into gold (server iron into revenue).
But a good syadmin will avoid Mac because they make it so difficult to do anything useful with them. Want to avoid Windows, he deploys Linux, want an expensive proprietary solution, he'll have the IBM Rep on speed dial, "only another $40K for a system P processor card, a bargain sir".
Only a bad sysadmins are fanboys and make things harder on themselves.
Re: (Score:2)
Windows server looked after by a good sysadmin == secure.
Mac server looked after by bad sysadmin == insecure.
The sad part is that much (most?) of being a good sysadmin consists of ensuring that you install security updates regularly. I've been close enough to embarrassing hacks on several servers to know what happened, and all (but one!) have been hacked as a result of a poor update policy. (The last one was due to a weak root password + passwordAuthentication enabled on ssh)
For all my own systems, I deman
Re: (Score:3)
Re: (Score:2)
I'd argue that both are closed source and therefor, by definition, their security can not be determined.
I wont argue that, but it is beside the point.
Put an incompetent nincompoop in charge of a Linux server and you should consider it as insecure as the most unpatched NT4 box. Security is done by people, not programs.
Re: (Score:3)
Most of the core MacOS X systems are not closed source. You can download most of them here [apple.com]. It's true that a lot of the GUI is closed source, but if you're talking about a remote exploit, you're probably hitting a lot of open source packages.
Metasploit (Score:2)
BSD is generally more secure than Windows (Score:2)
Not quite sure on the definition of an APT. Wikipeida says its generally a foreign state. .dmg are not instantly ran like exe.
I would think that due to core system generally having less holes in it, getting in without user execution would be harder. I don't think it matters in the end as you would still execute something, but
I would also think getting the user to execute malicious code would be significantly harder. Base apple software is generally usable so you don't need to find replacements. People who b
Re: (Score:2)
And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Win
So does Windows (Score:3)
And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Windows.
In Windows, files downloaded from the internet has the origin written in an alternate datastream. If you execute such a file you get a warning (like in OS X), but then even if you choose to run the executable, it will run with low integrity. Low integrity is part of UAC and sandboxes the process so that it by default has only read access as the current user. Write access (safe a few cache locations) is completely blocked, safe a few safe cache locations. This is a major obstacle for anyone wanting to use a
Re: (Score:2)
It was Service Pack 2 of Windows XP that added that feature.
Re: (Score:2)
Windows has done this since time immemorial, and generally makes it a PITA to run any downloaded content.
Re: (Score:2)
Windows has done this since time immemorial, and generally makes it a PITA to run any downloaded content.
You can fix this by editing or deleting the :Zone.Identifier:$DATA alternate data stream of the file. The file loses its internetness.
Re: (Score:2)
once you install OS X server you're toast (Score:4, Funny)
Oh boy a new buzzword. (Score:2)
And one that is already occupied by another term in the realm of IT.
Advanced Persistent Threat, eh?
Ugh... really? You couldn't just say "targeted attack"? What about spear-phishing? Too hard to spell? Dipshits.
Re: (Score:2)