Mac OS X Security Criticisms Countered 464
Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
Slow site (Score:5, Informative)
Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.
Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.
Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.
Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.
In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."
In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?
More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.
Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.
The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)
At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win
This seems awfully long-winded... (Score:5, Funny)
Re:Slow site (Score:3, Insightful)
Ah nom de dieu c'est fou ce que je m'enjoie la, thanks dude, best cyber ever
Side note: Did any euro mac
ok.. (Score:5, Funny)
Attacking the author (Score:5, Insightful)
Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.
Re:Attacking the author (Score:5, Interesting)
As the parent said, this guys facts seem solid, but his attitude makes it difficult to take him seriously.
Re:Attacking the author (Score:5, Funny)
Technologist is to technology what Waitress is to acting?
Re:Attacking the author (Score:3, Insightful)
this guys facts seem solid, but his attitude makes it difficult to take him seriously.
I took him a lot more seriously than Lance. Wanna know why? It's not because I am biased toward the Mac (Which I freely admit), but because his page is devoid of advertising.
That's right, he's not trying to sell me something through a banner ad. His writing is personal conviction, not whoring for ad money. The PCMag article is surrounded by hundreds of links trying to sell you something, various banners and a flas
Re:Attacking the author (Score:5, Insightful)
Re:Attacking the author (Score:5, Insightful)
I concur will your view - the correct answer, said rudely, still isn't right.
Re:Attacking the author (Score:2)
Um... please help me understand this one. Does this mean if you say a truth meanly, it's not true? I think you need to clarify that it is the rudeness, not the factuality, which is in question. The ambiguity of the English language leaves too much room for such things, and often just gets people mad at each other.
Say what you mean, and mean what you say.
Can't resist... feeding... the... Troll (Score:5, Funny)
You are right, of course. But expecting Forno to avoid name-calling would mean expecting him to avoid feeding the Troll. This one was so cute, and looked so hungry... Maybe just a LITTLE food would be okay...
Crap. Slashdot picked it up. So much for keeping the Troll population down this Christmas season!
Deservedly (Score:5, Interesting)
Re:Attacking the author (Score:3)
Um. Glorifying the horrible things that've been done to other people by suggesting them as appropriate consequences for writing a dumbass article seems like a little uncouth, eh?
trust (Score:4, Interesting)
Audit. WAS: Re:trust (Score:5, Insightful)
Don't trust vendors.
Don't trust open source.
Trust no one.
Audit.
Re:trust (Score:2)
Although it should be noted that anyone can download source and build the Darwin OS themselves http://developer.apple.com/darwin/ (Mac OS X is built on Darwin, which is built on BSD).
Re:trust (Score:2)
And yet...
the only computer that i would fully trust to protect my stuff would be a gentoo linux box custom made for a specific purpose
not that I have anything against gentoo zea..., ehmm... I mean folks putting in a good word for gentoo, even if it is unrelated to the article
Re:trust (Score:4, Informative)
In the real world where a person may need to run various applications and perform unforeseen tasks, security is still a consideration. I myself run OS X because (among other reasons) I don't like having system performance degrade over time, or worry about opening emails. Is having my system hacked the end of the world? No, but I'll take the better odds any day.
Re:trust (Score:5, Interesting)
As far as that goes, no operating system is 100% secure. The only way its secure is if its off. If you require a password to log on, its vunerable. If to nothing else, someone else on the inside figuring out that password. 80% of all the breaches we see are inside jobs. Either disgruntaled employee, sys admins don't remove passwords of terminated or former employees, or a hacker goes calls on the phone saying, "I'm joe from department x or branch y, and I forgot my password".
Even now, we have an internal network of 3 computers linked to a server that manages our accounting data. None of those boxes are connected to the Internet. That only leaves the possiblity of a breach from within or a unit being stolen physically from our office.
We do a lot of IT consulting and expaning into security, and the one question we always have to ask ourselves and clients, "Okay, nothing is going to be 100% secure, where do you draw the line?" Granted, most of our clients have 20 or fewer employees and aren't doing a lot that needs governmental levels of security. Usually Zone Alarm Pro and Norton is about the best defense these people are going to get for the money. Some larger companies elect on having a dedicated hardware firewall installed or an *BSD box configured as a firewall too.
Now on the desk of an average employee sets either a PowerMac G4 of various speeds, an iMac, iBook (yeah, I'm the President and I have an iBook), or a powerbook all running OS X.2 with my business partner's Powerbook the only 10.3 at the moment. We don't worry about the worm of the week on our machines.
At the end of the day, the way in which Windows is built and the intergration of IE, MP, etc. there is only so much you can do, and saying "Switch to Linux" often isn't the answer as well, at least to our small business clients. And I will defend that position with one word: Quickbooks. At least with Macintosh, they can have their Office, QuickBooks, Email, and Internet with a system they can understand, and provides more security than windows out of the box. Perfect, no, practical, yes.
Re:trust (Score:5, Funny)
What, like, Andrew Carnegie and John D. Rockefeller had to jog on the broken computers? How does that help? Man, I just don't understand security these days.
Re:trust (Score:2)
However, I'm thinking of trying Gentoo on one now that I'm older and more nimble of finger....
I'll take Zealots for 500, Alex (Score:4, Insightful)
If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.
Tim
Cockiness (Score:5, Funny)
Re:Mac Elite loves to feel cocky... (Score:5, Funny)
I'm sure we all know a:
Mac Zealot
Microsft Apologist
Pompus Unix Geek
Re:Mac Elite loves to feel cocky... (Score:3, Funny)
Re:Mac Elite loves to feel cocky... (Score:5, Funny)
Wally -- "You're one of those condescending UNIX computer users!"
UNIX-guy-- "Here's a nickel, kid. Get yourself a better computer."
--Dilbert, c. 1994
*sigh* (Score:5, Insightful)
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
Re:*sigh* (Score:5, Insightful)
While this new article does take maybe too much aim at the original author, it should at least help clarify what is really going on.
I'm far from a security expert or anything, but I would be far more apt to trust Mac OS security out of the box than Windows security...
Re:*sigh* (Score:5, Insightful)
The basis for a rebuttal is valid and appropriate. A correction by the author would be better, but we tend towards sensational announcements and very, very quiet retractions.
Re:*sigh* (Score:5, Insightful)
It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.
Unfortunately, it is exactly that type of disingenuousness that is the hallmark of yellow journalism. You don't get to ex post facto decide whether something is a story or journalism. I assure you that there is no field for "story" or "journalism" in any standard bibliographic form. This is how people like Ann Coulter get away with slander, and then take a "ha ha only kidding just my opinion" stance to defend themselves.
As soon as a story is referenced, it becomes a reference, regardless of what the original motivations were.
Re:*sigh* (Score:5, Insightful)
1) If Lance can post something regarding his opinion of an operating system, then Richard can post his opinion of Lance's article.
2) Everyone's entitled to an opinion, but not all opinions are equally valid. This is a fundamental point of epistomology. Lance is spreading FUD. What his motivation is, is unclear. But that doesn't give Lance the right to be spreading false accusations. Someone has to stand up and say so. If I were as good a writer as Richard I might have done it.
3) Lance KNOWS what he's doing, and either he know he's wrong or he's so blinded by his opinion that he can't reason properly. However, some people are going to think he's right. That's not fair to anyone who enjoys using Apple products or is one of these "mac zealots" who want to expand the user base.
4) This isn't in the same degree as some gross mischaracterizations that the media is known for (such as overblowing safety warnings or terrorism alerts, or incorrectly running news stories on urban legends and hoaxes which aren't true; yes that has happened before and continues to do so!), but every article, factual or opinionated, that contains false facts must be refuted. The journalism industry is taken for granted, at least in America, and when one of them screws up in order to get more money or get a promotion or because someone ordered them to, or some other sleazy means, then better journalists, or the public in general, should stand up and say the media is dead wrong.
Re:correction for the illiterate (Score:3, Insightful)
Ever think that maybe this was just a typo? They happen yanno. Not every mistake is made by a "low brow" trying to sound fancy. Some philosophers are just not good spellers
story NOT and editorial (Score:2)
Unfortunetly the orignal story was an editorial, but not presented as such.
Interesting Article (Score:2, Informative)
Saying that, I have to make the statement that I am an OS X user, and I love it. The simple fact that is asks for my username and password when I try to install applications is a wonder in itself.
Re:Interesting Article (Score:2, Insightful)
Excuse me? Why not? If XP uses (or even supports) the same DLL system as previous versions of windows, I don't see any way you could avoid DLL hell other than careful control of where and how software is installed.
Re:Interesting Article (Score:2, Informative)
Re:Interesting Article (Score:2, Interesting)
Sorry bub, but it seems Microsoft pulled a fast one on you.
Re:Interesting Article (Score:3, Informative)
Umm... no. If you had done your own research, you would have found out that Win
Re: DLL Hell (Score:2, Insightful)
The reality is that new applications written specifically for
Re:Interesting Article (Score:5, Informative)
Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.
BWP
Re:Interesting Article (Score:3, Insightful)
That would be 38% according to Google, by the way. That study you're misquoting only surveyed a small sample of a specific market segment.
Re:Interesting Article (Score:2)
Re:Interesting Article (Score:2)
Considering we were comparing the existance of DRM in WM9 and iTunes, whether CDex has DRM or not is quite frankly irrelevant. My point is, while both have DRM, their implementation is very different. iTunes doesn't apply DRM to any CDs you rip yourself, but rather only uses it on songs you buy from the iTunes Music Store.
Re:Interesting Article (Score:2)
Curious.. (Score:5, Informative)
Minus the trolls and such.
Re:Curious.. (Score:4, Interesting)
Dear Mr. Ulanoff,
I am writing to you just to send you a couple of informative references on general computer security. I promise to stick to the basics, and I am sure you will dig deeper if interested.
One of the basics of remote exploits is the ability to -once a remote vulnerability is discovered-, send malicious code snippets that get executed with privileges on the target computer. For instance, they might be sent exploiting a buffer overflow bug or a flawed service left running on an open port.
This is well known in the MS Windows world and even Linux, as they commonly share the same underlying hardware architecture (namely x86). There is plenty of information on how to build such malicious code snippets (basically anyone knowledgeable in x86 assembler can do it) as well as pre-built apps and scripts to send them. This is well known. It is also well known that a vulnerability must be present for the code to be able to be executed at all.
It is a common myth that -by following this logic-, other platforms that are less used, like for example MacOSX (subject of a security article of your own), are more secure because technical knowledge about them is less common (eg. PPC assembler language) and are not so commonly used. One might think the malicious code needs to be built by real gurus, few in number, that have no interest in doing that.
*However*, doing a trivial search on Google (also published on
http://www.securiteam.com/securityreviews/PPC_O
Is a no-nonsense compilation of MacOSX PPC malicious payloads and the rationale behind them. After copy-pasting from it, anyone can do remote attacks on MacOSX, *provided* a vulnerability is actually found. No vulnerability, no attack. The paper requires a low level of technical knowledge and actually has little merit (apart from being somewhat clear and concise).
So, using information freely available, easily found, in common knowledge (published on
So it *cannot* be possibly said that MacOSX achieves its high level of security by obscurity. It accomplishes it by *design*.
It is really sad that the old argument of 'security by obscurity' is being raised over and over. Read that paper.
Mr. Ulanoff, I promised you two links and I have provided only one. The other is not actually a link but a reference. Just walk to your nearest technical bookstore or Computer Science library, look for the PPC assembly and architecture books that have been publicily available for years. My cheapo college library has them, yours surely has.
I am looking forward to further informed security articles by you. Please do not hesitate to mail me should you need further references on this or any other technical question.
Best regards,
xxxxxxx
The main difference (Score:3, Interesting)
Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased. That's because unlike Windows, Mac OS was designed from the ground up with security in mind. Is it totally secure? Nothing will ever be totally secure. But when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.
security through obscurity (Score:4, Interesting)
I realize this is an oft-repeated truism, and obscurity alone doesn't make a system truly secure...but it certainly helps. To make an analogy, I know of many friends who have been robbed, even when their valuables were well-locked. However, those who put their valuables in places theives never think to look are generally the ones who keep them - good security is never perfect, and is generally at best a deterrent, at worst a challenge. Hell, security through obscurity is the whole basis for steganography, though most would recommend encryption as part of a "why not?" sort of preprocessing step.
As such, I think it's a given that Windows is at least less secure because of its market share. Whether Mac is more secure because of its obecurity is debatable - I'm sure there are a number of generic unix exploits that macs would suffer from, and the general unix community is very high profile.
Re:The main difference (Score:5, Insightful)
Please observe that the term "security through obscurity" is often used in two slightly different meanings, one that obviously doesn't work and one that is at least not so obvious. Let me separate them:
THE ONE THAT OBVIOUSLY DOES NOT WORK is "let us make our system as obscure as possible by refusing to supply any extensive documentation to the public, not to mention the source code; the less anyone knows about our system the better". Microsoft often resorted (still resorts?) to this kind of "s-t-o" strategy. It doesn't work, because sooner or later the internal documentation will leak, malicious crackers will get it anyway and the bona fide hackers won't provide you with their valuable security alerts, patches etc. This meaning of "s-t-o" has actually nothing to do with the popularity of a given system - it's a matter of a vendor's strategy, not a market share.
THE ONE THAT IS NOT THAT OBVIOUS AFTER ALL is "let us maximize our security by choosing a system that is not-so-popular, so at least the script kiddies would have to do some homework before they could even try to log in to our network, not to mention use any actual exploits". To some extent it works - script kiddies by very definition go for an easy prey and a not-so-popular system is not one.
Now, please observe that MacOS X does indeed offer "s-t-o", but only in the latter, not-so-obvious meaning. In the first meaning, it is not obscure at all. Everything related to network, communications, protocols etc. is open in MacOS X - only the GUI layer is proprietary.
I don't like the "security through obscurity doesn't work" mantra just because it is a mantra - people seem to just repeat it, without backing it with any examples. In some cases it's obvious, but in some - it is not. Just wanted to clarify that.
My word-search on the article ... (Score:2, Interesting)
Now what except the GUI is so specific to OS X that one may write an article related to security without at least touching the root(s).
CC.
Your word search is broken :) (Score:2, Interesting)
and
and
You must be referring to the *original* article... the first makes no reference to BSD or UNIX. Based on that, I wholeheartedly agree with your assessment - I do not think that the original author had a real understanding of OS X, BSB, UINX, or for that matter, even Windows.
We would never actually read a serious article of this nature because
Re:Your word search is broken :) (Score:2)
Re:My word-search on the article ... (Score:2)
"what happens when you don't understand..." (Score:2, Insightful)
A blog entry [bynkii.com] (not mine) on the subject.
Enjoy.
He he he (Score:2)
The wierd thing... (Score:3, Insightful)
Re:The wierd thing... (Score:3, Informative)
The classic Mac OS's did have vulnerabilities, but they were not well-documented and sporadic. In certain places bad coding produced code that was vulnerable to buffer overflow exploits. However, those are difficult to use under the best of circumstances.
Because Mac OS did not run on x86 hardware it had a different stack struc
Re:The wierd thing... (Score:5, Informative)
You can see one anytime you want by just checking this test [u-struct.com] site. It works in a similar way as the infamous autostart worm [llnl.gov] that plagued MacOS Classic machines. The vulnerability works as follows:
1. You click on a link on a website like the above. It starts to download a stuffit-packed disk image to your desktop [without asking; that's the default configuration]
2. Stuffit unpacks and mounts the image [without asking; that's the default configuration]
3. Classic QuickTime sees a newly mounted image and initiates Autostart procedure [DEFAULT CONFIGURATION!]
4. Bingo - you allowed a remote source to execute arbitrary code on your system; and even under MacOS X, it started as a Classic layer process so it runs actually as root
The test site "attacks" you only with a very simple AppleScript applet that only opens your trashcan and that's it. But just think of the possibilites for a really malicious use. It was a very severe vulnerability for all vanilla-configured MacOS 9 (and earlier) machines; but unfortunately, also MacOS X machines with their Classic layer configured as the vanilla MacOS 9 were affected. THIS INCLUDES the MacOS X 10.3 "Panther". In fact, Classic layer always was and still is the biggest security hole in MacOS X, but that's another story. Anyway, Apple was crazy to provide Autostart option in QuickTime (who needs it, anyway?) but it was even more crazy to provide it as the DEFAULT configuration.
Re:The wierd thing... (Score:2, Insightful)
Re:The wierd thing... (Score:2)
Yes, there is plenty of doubt that there were plenty. OS 9 literally has no services built in; none. A fresh install of OS 9 is displaying no open ports to the outside world. The only kind of vulnerability it could possibly have had would be a vulnerability in the TCP stack itself. And then you have to somehow load in enough code to gain remote access. It's not going to be some little 500-byte assembly program that opens a port and connects it to
It wasn't just his tone (Score:2)
That people pay him money to spew out crap like that (and that other people that are supposed to be fact-checking/editorially judging are as well) is truly depressing.
I have not heard of one successful r00ting of OS X (Score:5, Interesting)
Are there any viruses/trojans for OS X?
I know there was the ssh deal a while back, but does anyone know of any remote r00ting of an OS X box anywhere?
stubborn institutional pride/hubris, etc... (Score:5, Interesting)
Re:stubborn institutional pride/hubris, etc... (Score:5, Informative)
Apple was able to get away with Mac OS X on top of BSD, using their own modern driver architecture (IOKit) because they had a relatively small hardware subset that they had to support (and you'll note they didn't even *try* and support a whole bunch of their older machines...). And it still took them 4 years to get the first version out the door.
For Microsoft to to the same thing would be tons more complicated, given the ungodly amount of hardware they have to support.
(Drivers are the long term bane of Linux and BSD as well -- The Linux driver model is, IMHO, a horribly antiquated mess needing a complete tear out and replacement. It's not going to get that anytime soon for the same reasons outlined above - too many new drivers to support. I'm not familiar with the BSD model, but if it's anything like the over 20 year old UNIX device model, I'm *very* glad Apple chose to use IOKit instead...)
IMHO, if Microsoft wants to produce a truly stable OS, they need to tear their kernel development away from the rest of the OS, and put everything else (especially IE) in a nice isolated sandbox. I would say the vast majority of Windows security holes are there because MS tries to integrate way too much high level functionality into the core OS.
Of course, if they do that, then they risk people adding their own sandboxes on top of their core OS (like Java...) and losing control of the application developers who currently are slaved to that highly integrated high level functionality...
Re:stubborn institutional pride/hubris, etc... (Score:3, Interesting)
Re:stubborn institutional pride/hubris, etc... (Score:3, Interesting)
Better read than the PC Mag Article (Score:4, Funny)
The PC Mag article read as a 'neener neener neener I hate you' article vs. something with content.
MS should learn from ship builders (Score:5, Insightful)
One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?
Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
Re:MS should learn from ship builders (Score:3, Interesting)
When you statically link libraries, each time you get a security fix for a library you have to rebuild ALL of the effected applications and redeploy them. Forget one, and you're still vulnerable. With dynamicall
a few things (Score:5, Insightful)
PEBKAC
We'll Just Have to see (Score:2, Insightful)
In three years M$ will come out with supposedly secure computing, with more of an eye toward how to KEEP
Reply to rebuttal (Score:3, Funny)
From: Lance Ulanoff
Subject: Re: Mac Security
YHL YHBT HAND
I subscribe to PC Mag (Score:2, Insightful)
You're confusing 2 things here (Score:3, Insightful)
So is Mac OS X less of a target because of smaller market share? Yes.
The original authour, like yourself, is confusing 2 things here, and this is why you see so many rebuttals to these sort of comments. A larger market share makes anything a bigger target. Duh. Anyone can figure that out. The problem is, it's a
Not a fair comparison (Score:3, Interesting)
That is true, right now, but it is not a fair comparison.
Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.
So comparing anything to an admittedly weak and insecure operating system is just plain silly. Everyone knows Windows is insecure. Saying MacOSX is more secure than Windows means nothing, and in fact makes OSX security look comparable to that of Windows when in fact it is far better (regardless of what that PCMagazine moron wants to believe).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
Re:Not a fair comparison (Score:5, Insightful)
XP might be old, but it is what people are allowed to buy *now*, so your point does not apply. It is insecure *now* and it is being sold *now* (read, not discontinued or the like).
So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
I have just installed a network of computers, loaded with MS software I just bought. I need to be secure now, not in 2-3 years time.
dani++
Yeah yeah. (Score:5, Informative)
- Nothing is totally secure, if it's at all useful.
- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.
- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.
- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"
The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.
Mac Zealots or AnitMac Zealots (Score:5, Insightful)
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.
People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.
Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
Re:Mac Zealots or AnitMac Zealots--not just OSes (Score:3, Interesting)
The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics.
There's some kind of fundamental truth there. For example: I was a vegetarian for a decade, and during that time I noticed there was a type of person who looked upon my eating habits as a personal attack. These people would try to drag me into an argument about how I wasn't enough protein, etc. I realized I couldn't win: If I shrug it off, I'm a mindless cultist. If I try to disabuse them of their notions, I'm a fanatic.
Later
So blown out of proportion ... (Score:5, Informative)
Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:
This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...
-- Leif
Everything is relational.. (Score:5, Funny)
I smell a Monty Python skit in here somewhere!
m$ champ wrote like a typical m$ paid copy writer (Score:3, Insightful)
I said it... (Score:5, Insightful)
This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.
This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.
Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.
Should Mac OS X have this default behavior?
What are the tradeoffs?
And so on.
I just find the distinct lack of understanding of this issue astounding.
(Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)
What I think is funny... (Score:4, Insightful)
Re:What I think is funny... (Score:4, Insightful)
New Mac OS X vulnerability... Buffer overflow/priv (Score:3, Interesting)
http://www.securityfocus.com/archive/1/347578 [securityfocus.com]
Re:Don't always assume a smear campaing (Score:5, Insightful)
so why comment on the relationship between the two if you are obviously misinformed and you admit it?
Re:Don't always assume a smear campaing (Score:4, Interesting)
I mean, if I said, "I wish he'd just shut his mouth if he's not going to read the article," you can safely assume more malice there than if I said "He really should read the article before commenting," right?
Re:Don't always assume a smear campaing (Score:5, Insightful)
It's not too much of an assumption. The author of the orinigal piece said he was glad that there was finally a big vulnerability for Mac OS, and that he was tired of Mac users looking smug when SAMS edition Conquer the Internet in 12 Hours outlook viruses pass them over. The whole piece just had a tone of "I'm really sick of people bragging about Mac OS."
Re:Don't always assume a smear campaing (Score:5, Informative)
How cocky are you feeling now, Mac elite?
While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.
Re:Don't always assume a smear campaing (Score:3, Insightful)
Hmm. Suddenly it's gotten pretty quiet around here.
REALLY got on my nerves. Anyone who declares victory at the end of their own damn article...
and hell, Windows is the only OS I use on a daily basis, other than some Usenet in a Unix shell account.
Parent post summed: (Score:2)
Re:Don't always assume a smear campaing (Score:4, Informative)
I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther...
I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.
I generally counter with what is apparently a secret carefully hidden from Mac zealots:...
But the mindlessly superior retort is always the same....
Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"
Those quotes alone comprise half the first few paragraphs. See, that wasn't too hard, was it?
Re:Don't always assume a smear campaing (Score:3, Informative)
which viruses would these be? there are still no virii that attack mac os x.
Re:Don't always assume a smear campaing (Score:5, Insightful)
PCs are open holes with regards to virii.
Macs are a dream in this respect. Even the old OS 9 & lesser.
Obscurity DOES play a part. A small part. The win 95/98 verisons of windows that are STILL being used are horrors. The newer versions are much better (Me, 2000, XP) but still, the win computer ships with the doors unlocked and open. And the solutions made to close them are subpar. What if I WANT to email a
I could regail you with tales of the reocurring Scsvr/brasil/ops32 virus at our old office but and all the times our pcs went down but I won't. The time wasted cost us enough.
The original reporter is a bitter man who is upset that the one part of the mac he chooses to address is much better than the same area on the pc and is despirate to "fight back" and say "nyah, nyah, I tooold you" to the mac crowd, painting them as elitist pinkie pointing beret toting espresso drinkers.
We need more rebuttals like the one that started this thread. I know many who claim that "less macs = less mac virii you stooge" without closely examining the situation.
At last check, there were about 60 mac virii. At most 100.
How many win virii are there out there? 50 thousand? 60 thousand?
The more the correct message gets published by competent professionals, the less win/mac virii FUD will be going around.
Cheers,
Re:OSX is weak - here is some homework. (Score:3, Interesting)
Wow!!!
Are you going to explain why Joe Blow's ability to create files in the root directory is a security risk, since he can only remove files that he himself owns? I hope you're not just trying to hide behind "sticky bit" jargon and lofty claims of "weakening a security model that has already had significant difficulties."
Re:OSX is weak - here is some homework. (Score:5, Informative)
cp -r etc myetc; mv etc etc.old ; mv myetc etc
And then you control etc.
However, due to the sticky bit:
dustin2wti:/tmp/test 520% ls -ld . etc
drwxrwxr-t 3 root admin 102 15 Dec 14:10
drwxr-xr-x 2 root wheel 68 15 Dec 14:10 etc/
dustin2wti:/tmp/test 521% mv etc newetc
mv: rename etc to newetc: Operation not permitted
(because of the sticky bit and my lack of ownership over etc)
Remember, renames are *directory* modifications, not file modifications. The sticky bit fills in the difference.
Re:Interesting (Score:3, Informative)
http://security.tombom.co.uk/shatter.html [tombom.co.uk]
There is a followup to this paper that discusses Microsoft response the it. The author isn't happy with the response.
The root of this issue is the Win32 API, and its origins as a real mode compatible API with no security, and no memory
Re:Interesting (Score:3, Informative)
I was refering to the old 16 bit Windows API, which the Win32 API is based on. My original post was phrased rather poorly - sorry.
Win32's roots in the 16 bit Windows API are the r