Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Software Windows Apple

Mac OS X Security Criticisms Countered 464

Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."
This discussion has been archived. No new comments can be posted.

Mac OS X Security Criticisms Countered

Comments Filter:
  • Slow site (Score:5, Informative)

    by Anonymous Coward on Monday December 15, 2003 @02:39PM (#7727274)
    article text, reprinted as permitted by author. Enjoyez-vous.

    Muckraking, the PC Way
    Richard Forno
    12 Dec 03
    Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.


    Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.


    Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.

    Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

    In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."

    In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?

    More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.

    Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.

    The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)

    At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win

  • ok.. (Score:5, Funny)

    by junkymailbox ( 731309 ) * on Monday December 15, 2003 @02:40PM (#7727282)
    not much comparison when you start comparing your security to windows security.
  • by goldspider ( 445116 ) on Monday December 15, 2003 @02:41PM (#7727292) Homepage
    I did RTFA, and it would seem to me that the rebuttal would have sufficiently stood on the merit of the facts, without all the sniping at Ulanoff.

    Tho Forno is mostly correct in his assertions, I would take him MUCH more seriously if his argument wasn't riddled with immature name-calling.

    • by palutke ( 58340 ) * on Monday December 15, 2003 @02:50PM (#7727377)
      As a rule, I treat everything that a 'technologist/author' says as worthless until they prove otherwise. It seems that 'technologist' is one of those titles that people attach to themselves when they don't posess any useful skills (to me, anyway).

      As the parent said, this guys facts seem solid, but his attitude makes it difficult to take him seriously.
      • by On Lawn ( 1073 ) on Monday December 15, 2003 @03:10PM (#7727591) Journal
        So in short,

        Technologist is to technology what Waitress is to acting?
      • this guys facts seem solid, but his attitude makes it difficult to take him seriously.

        I took him a lot more seriously than Lance. Wanna know why? It's not because I am biased toward the Mac (Which I freely admit), but because his page is devoid of advertising.

        That's right, he's not trying to sell me something through a banner ad. His writing is personal conviction, not whoring for ad money. The PCMag article is surrounded by hundreds of links trying to sell you something, various banners and a flas

    • by Bill, Shooter of Bul ( 629286 ) on Monday December 15, 2003 @02:50PM (#7727386) Journal
      Exactly. The original article may have been flaimbait, but it really didn't require another article to point out all of the obvious flaws. Even if it did, this author could have avoided sinking to his level.
    • by Oculus Habent ( 562837 ) * <oculus.habent@g m a il.com> on Monday December 15, 2003 @02:54PM (#7727432) Journal
      Every work day, I use Mac OS X 10.3, Windows XP Pro, 2k Pro, NT 4, and 98 - sometimes 95, too. I like my Mac. I could go into why, but no one asked me, so I won't. How the original story managed to make some sort of grade for acceptability at PC Magazine makes me less interested in the publication.

      I concur will your view - the correct answer, said rudely, still isn't right.
      • he correct answer, said rudely, still isn't right.

        Um... please help me understand this one. Does this mean if you say a truth meanly, it's not true? I think you need to clarify that it is the rudeness, not the factuality, which is in question. The ambiguity of the English language leaves too much room for such things, and often just gets people mad at each other.

        Say what you mean, and mean what you say.

    • by kylef ( 196302 ) on Monday December 15, 2003 @03:01PM (#7727495)

      You are right, of course. But expecting Forno to avoid name-calling would mean expecting him to avoid feeding the Troll. This one was so cute, and looked so hungry... Maybe just a LITTLE food would be okay...

      Crap. Slashdot picked it up. So much for keeping the Troll population down this Christmas season!

    • Deservedly (Score:5, Interesting)

      by burgburgburg ( 574866 ) <splisken06&email,com> on Monday December 15, 2003 @03:10PM (#7727595)
      The original "commentary" was not just chock full of factual errors, improper syllogisms, et. al. It was dripping with such a malice-filled glee at the notion that OS X might be as insecure as Windows that one has to wonder as to real root of the author's problems. He mentions how angered he is by the laughing of OS X users every time he has to deal with another Windows virus/trojan/bug. Are "commentaries" like his the sad, pathetic result of not working on an OS that "just works"?
  • trust (Score:4, Interesting)

    by rwven ( 663186 ) on Monday December 15, 2003 @02:43PM (#7727301)
    the bottom line is which are you going to trust anyway? the only computer that i would fully trust to protect my stuff would be a gentoo linux box custom made for a specific purpose. Self patching and very few applications installed for a person to take advantage of. the bottom line is though XP and Mac OSX may be "secure" they're not secure enough for anything important. (in my humble opinion.) I also work at a place where security is EVERYTHING so i guess i see it different... This pointless blathering about security shoudl convince no one of anything, especially when zealots are concerned.... I say use whatever works best for what you are doing. if you want REAL security, you shouldnt use either of those OS's
    • by voixderaison ( 665336 ) on Monday December 15, 2003 @02:57PM (#7727456) Homepage
      If you work in a place where "security is EVERYTHING", then you should know that trust is *not* the bottom line.

      Don't trust vendors.
      Don't trust open source.
      Trust no one.
      Audit.
    • I say use whatever works best for what you are doing. if you want REAL security, you shouldnt use either of those OS's

      Although it should be noted that anyone can download source and build the Darwin OS themselves http://developer.apple.com/darwin/ (Mac OS X is built on Darwin, which is built on BSD).
    • "This pointless blathering about security shoudl convince no one of anything, especially, when zealots are concerned...."

      And yet...

      the only computer that i would fully trust to protect my stuff would be a gentoo linux box custom made for a specific purpose

      not that I have anything against gentoo zea..., ehmm... I mean folks putting in a good word for gentoo, even if it is unrelated to the article :-p
    • Re:trust (Score:4, Informative)

      by telbij ( 465356 ) on Monday December 15, 2003 @03:27PM (#7727770)
      So you're saying there's no middle ground... either you need security and run Gentoo or you need to do some real work and then take your pick?

      In the real world where a person may need to run various applications and perform unforeseen tasks, security is still a consideration. I myself run OS X because (among other reasons) I don't like having system performance degrade over time, or worry about opening emails. Is having my system hacked the end of the world? No, but I'll take the better odds any day.
    • Re:trust (Score:5, Interesting)

      by ducomputergeek ( 595742 ) on Monday December 15, 2003 @03:28PM (#7727778)
      Security was everything at one of the places I worked. We had a special lead incased steel room with computer monitors and armed gaurds to get in and out with at least three different methods of Identity conformation. Those units in that room were not networked and media could go in, but not out. When it was time for something to go, the nice distructo matic guys came in, busted the monitors, all the hardware and ran magnates over everything just to make sure. Granted that was a DoD contractor and much of the work in those rooms were even above my security clearance. That's about as secure as you can get, and yes some of the computers ran windows.

      As far as that goes, no operating system is 100% secure. The only way its secure is if its off. If you require a password to log on, its vunerable. If to nothing else, someone else on the inside figuring out that password. 80% of all the breaches we see are inside jobs. Either disgruntaled employee, sys admins don't remove passwords of terminated or former employees, or a hacker goes calls on the phone saying, "I'm joe from department x or branch y, and I forgot my password".

      Even now, we have an internal network of 3 computers linked to a server that manages our accounting data. None of those boxes are connected to the Internet. That only leaves the possiblity of a breach from within or a unit being stolen physically from our office.

      We do a lot of IT consulting and expaning into security, and the one question we always have to ask ourselves and clients, "Okay, nothing is going to be 100% secure, where do you draw the line?" Granted, most of our clients have 20 or fewer employees and aren't doing a lot that needs governmental levels of security. Usually Zone Alarm Pro and Norton is about the best defense these people are going to get for the money. Some larger companies elect on having a dedicated hardware firewall installed or an *BSD box configured as a firewall too.

      Now on the desk of an average employee sets either a PowerMac G4 of various speeds, an iMac, iBook (yeah, I'm the President and I have an iBook), or a powerbook all running OS X.2 with my business partner's Powerbook the only 10.3 at the moment. We don't worry about the worm of the week on our machines.

      At the end of the day, the way in which Windows is built and the intergration of IE, MP, etc. there is only so much you can do, and saying "Switch to Linux" often isn't the answer as well, at least to our small business clients. And I will defend that position with one word: Quickbooks. At least with Macintosh, they can have their Office, QuickBooks, Email, and Internet with a system they can understand, and provides more security than windows out of the box. Perfect, no, practical, yes.

      • Re:trust (Score:5, Funny)

        by mattdm ( 1931 ) on Monday December 15, 2003 @04:27PM (#7728341) Homepage
        When it was time for something to go, the nice distructo matic guys came in, busted the monitors, all the hardware and ran magnates over everything just to make sure.

        What, like, Andrew Carnegie and John D. Rockefeller had to jog on the broken computers? How does that help? Man, I just don't understand security these days.
  • by TimTheFoolMan ( 656432 ) on Monday December 15, 2003 @02:43PM (#7727305) Homepage Journal
    'In other words, you're either with him [Lance Ulanoff] or with the "zealots."'

    If I have to choose sides, I'll go with the Zealots on this one. Apple's security and responses to breaches (so far) have been light years ahead of what I've dealt with from MS.

    Tim
  • Cockiness (Score:5, Funny)

    by fiannaFailMan ( 702447 ) on Monday December 15, 2003 @02:43PM (#7727312) Journal
    From the original article:
    How cocky are you feeling now, Mac elite?
    As cocky as ever, thank you very much.
  • *sigh* (Score:5, Insightful)

    by Oculus Habent ( 562837 ) * <oculus.habent@g m a il.com> on Monday December 15, 2003 @02:43PM (#7727314) Journal
    The PC Magazine story was just about that - a story.

    It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.

    It's unfortunate that people need to write rebuttals to this sort of journalism, but some naive readers out there will simply take it at face value because it's in print, so it must be true.
    • Re:*sigh* (Score:5, Insightful)

      by ack154 ( 591432 ) on Monday December 15, 2003 @02:50PM (#7727379)
      But what if many people read that and don't see it as just a "story"? What if people take it for what he wrote? (Essentially saying Mac is "as bad as" Windows based on this one vulnerability he mentioned).

      While this new article does take maybe too much aim at the original author, it should at least help clarify what is really going on.

      I'm far from a security expert or anything, but I would be far more apt to trust Mac OS security out of the box than Windows security...
    • Re:*sigh* (Score:5, Insightful)

      by Ringel ( 31107 ) on Monday December 15, 2003 @02:57PM (#7727448)

      It wasn't a report. It wasn't an account. It wasn't an investigation. It wasn't supported by facts. It wasn't supported by logic. It was an opinion piece that, from my view, wasn't well thought or well written.

      Unfortunately, it is exactly that type of disingenuousness that is the hallmark of yellow journalism. You don't get to ex post facto decide whether something is a story or journalism. I assure you that there is no field for "story" or "journalism" in any standard bibliographic form. This is how people like Ann Coulter get away with slander, and then take a "ha ha only kidding just my opinion" stance to defend themselves.

      As soon as a story is referenced, it becomes a reference, regardless of what the original motivations were.

    • Re:*sigh* (Score:5, Insightful)

      by hellfire ( 86129 ) <deviladv AT gmail DOT com> on Monday December 15, 2003 @03:03PM (#7727524) Homepage
      I disagree with you for several reasons:

      1) If Lance can post something regarding his opinion of an operating system, then Richard can post his opinion of Lance's article.

      2) Everyone's entitled to an opinion, but not all opinions are equally valid. This is a fundamental point of epistomology. Lance is spreading FUD. What his motivation is, is unclear. But that doesn't give Lance the right to be spreading false accusations. Someone has to stand up and say so. If I were as good a writer as Richard I might have done it.

      3) Lance KNOWS what he's doing, and either he know he's wrong or he's so blinded by his opinion that he can't reason properly. However, some people are going to think he's right. That's not fair to anyone who enjoys using Apple products or is one of these "mac zealots" who want to expand the user base.

      4) This isn't in the same degree as some gross mischaracterizations that the media is known for (such as overblowing safety warnings or terrorism alerts, or incorrectly running news stories on urban legends and hoaxes which aren't true; yes that has happened before and continues to do so!), but every article, factual or opinionated, that contains false facts must be refuted. The journalism industry is taken for granted, at least in America, and when one of them screws up in order to get more money or get a promotion or because someone ordered them to, or some other sleazy means, then better journalists, or the public in general, should stand up and say the media is dead wrong.
    • News stories are supposed to be based on fact, or have factual content (not that there is ever completely bias free journalism). Editorials are bassed on opinion.

      Unfortunetly the orignal story was an editorial, but not presented as such.

  • That is a great article, but for some reason it feels like he didn't really do that much research. For instance, his reference to DLL Hell is outdated - Windows XP doesn't suffer from that issue.

    Saying that, I have to make the statement that I am an OS X user, and I love it. The simple fact that is asks for my username and password when I try to install applications is a wonder in itself.
    • For instance, his reference to DLL Hell is outdated - Windows XP doesn't suffer from that issue.

      Excuse me? Why not? If XP uses (or even supports) the same DLL system as previous versions of windows, I don't see any way you could avoid DLL hell other than careful control of where and how software is installed.

      • Take a look here [microsoft.com] for a brief overview. I'm not saying that this is perfect, but by being able to run multiple versions in memeory does help alleviate the pontential for DLL conflicts.
        • Umm... no. The problem of DLL hell is because programs (including Windows) all throw their DLLs into the winnt\system folder. New versions of DLLs overwrite old versions, files get left behind during uninstalls, etc. All this contributes to the long-standing problem of "DLL hell". Simply allowing multiple/separate copies in memory is something that all OSes (including Windows) have been able to do for many, many, many years.

          Sorry bub, but it seems Microsoft pulled a fast one on you.

          • Umm... no. The problem of DLL hell is because programs (including Windows) all throw their DLLs into the winnt\system folder. New versions of DLLs overwrite old versions, files get left behind during uninstalls, etc. All this contributes to the long-standing problem of "DLL hell". Simply allowing multiple/separate copies in memory is something that all OSes (including Windows) have been able to do for many, many, many years.

            Umm... no. If you had done your own research, you would have found out that Win

    • Re: DLL Hell (Score:2, Insightful)

      by Anonymous Coward
      You're confusing Microsoft propaganda ("we fixed DLL Hell!") with reality.

      The reality is that new applications written specifically for .NET may manage to avoid most of DLL Hell (except for all the caveats like ADO problems), but this is of limited help with the existing DLL hell (eg, shell versions, which is a problem noone can fix but Microsoft, and they lack the money and incentive).

    • by bovinewasteproduct ( 514128 ) <gclarkii.gmail@com> on Monday December 15, 2003 @04:02PM (#7728118) Homepage
      Windows XP doesn't suffer from that issue

      Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.

      BWP
      • Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.


        That would be 38% according to Google, by the way. That study you're misquoting only surveyed a small sample of a specific market segment.
  • Curious.. (Score:5, Informative)

    by Metallic Matty ( 579124 ) on Monday December 15, 2003 @02:44PM (#7727323)
    You could have found a fairly accurate rebuttle [slashdot.org] right here at . as well.

    Minus the trolls and such.
    • Re:Curious.. (Score:4, Interesting)

      by danigiri ( 310827 ) on Monday December 15, 2003 @03:25PM (#7727734)
      Sorry to cross-post (posted on previous discussion) but I'm lazy (and point still stands). Here's another rebuttal from me that uses no personal attacks or any of that crap:

      Dear Mr. Ulanoff,

      I am writing to you just to send you a couple of informative references on general computer security. I promise to stick to the basics, and I am sure you will dig deeper if interested.

      One of the basics of remote exploits is the ability to -once a remote vulnerability is discovered-, send malicious code snippets that get executed with privileges on the target computer. For instance, they might be sent exploiting a buffer overflow bug or a flawed service left running on an open port.

      This is well known in the MS Windows world and even Linux, as they commonly share the same underlying hardware architecture (namely x86). There is plenty of information on how to build such malicious code snippets (basically anyone knowledgeable in x86 assembler can do it) as well as pre-built apps and scripts to send them. This is well known. It is also well known that a vulnerability must be present for the code to be able to be executed at all.

      It is a common myth that -by following this logic-, other platforms that are less used, like for example MacOSX (subject of a security article of your own), are more secure because technical knowledge about them is less common (eg. PPC assembler language) and are not so commonly used. One might think the malicious code needs to be built by real gurus, few in number, that have no interest in doing that.

      *However*, doing a trivial search on Google (also published on /. and so seen by thousands) this paper shows up:

      http://www.securiteam.com/securityreviews/PPC_OS X_ Shellcode_Assembly.pdf

      Is a no-nonsense compilation of MacOSX PPC malicious payloads and the rationale behind them. After copy-pasting from it, anyone can do remote attacks on MacOSX, *provided* a vulnerability is actually found. No vulnerability, no attack. The paper requires a low level of technical knowledge and actually has little merit (apart from being somewhat clear and concise).

      So, using information freely available, easily found, in common knowledge (published on /., not some backwater usenet), anyone could attack MacOSX boxes, *if* a vulnerability is discovered in it or in its running services.

      So it *cannot* be possibly said that MacOSX achieves its high level of security by obscurity. It accomplishes it by *design*.

      It is really sad that the old argument of 'security by obscurity' is being raised over and over. Read that paper.

      Mr. Ulanoff, I promised you two links and I have provided only one. The other is not actually a link but a reference. Just walk to your nearest technical bookstore or Computer Science library, look for the PPC assembly and architecture books that have been publicily available for years. My cheapo college library has them, yours surely has.

      I am looking forward to further informed security articles by you. Please do not hesitate to mail me should you need further references on this or any other technical question.

      Best regards,

      xxxxxxx
  • The main difference (Score:3, Interesting)

    by LinuxMacWin ( 79859 ) on Monday December 15, 2003 @02:47PM (#7727346)
    .....

    Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased. That's because unlike Windows, Mac OS was designed from the ground up with security in mind. Is it totally secure? Nothing will ever be totally secure. But when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional. .....
    • by siskbc ( 598067 ) on Monday December 15, 2003 @03:14PM (#7727632) Homepage
      "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work.

      I realize this is an oft-repeated truism, and obscurity alone doesn't make a system truly secure...but it certainly helps. To make an analogy, I know of many friends who have been robbed, even when their valuables were well-locked. However, those who put their valuables in places theives never think to look are generally the ones who keep them - good security is never perfect, and is generally at best a deterrent, at worst a challenge. Hell, security through obscurity is the whole basis for steganography, though most would recommend encryption as part of a "why not?" sort of preprocessing step.

      As such, I think it's a given that Windows is at least less secure because of its market share. Whether Mac is more secure because of its obecurity is debatable - I'm sure there are a number of generic unix exploits that macs would suffer from, and the general unix community is very high profile.

    • by Trurl's Machine ( 651488 ) on Monday December 15, 2003 @03:29PM (#7727795) Journal
      Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work.

      Please observe that the term "security through obscurity" is often used in two slightly different meanings, one that obviously doesn't work and one that is at least not so obvious. Let me separate them:
      THE ONE THAT OBVIOUSLY DOES NOT WORK is "let us make our system as obscure as possible by refusing to supply any extensive documentation to the public, not to mention the source code; the less anyone knows about our system the better". Microsoft often resorted (still resorts?) to this kind of "s-t-o" strategy. It doesn't work, because sooner or later the internal documentation will leak, malicious crackers will get it anyway and the bona fide hackers won't provide you with their valuable security alerts, patches etc. This meaning of "s-t-o" has actually nothing to do with the popularity of a given system - it's a matter of a vendor's strategy, not a market share.
      THE ONE THAT IS NOT THAT OBVIOUS AFTER ALL is "let us maximize our security by choosing a system that is not-so-popular, so at least the script kiddies would have to do some homework before they could even try to log in to our network, not to mention use any actual exploits". To some extent it works - script kiddies by very definition go for an easy prey and a not-so-popular system is not one.

      Now, please observe that MacOS X does indeed offer "s-t-o", but only in the latter, not-so-obvious meaning. In the first meaning, it is not obscure at all. Everything related to network, communications, protocols etc. is open in MacOS X - only the GUI layer is proprietary.

      I don't like the "security through obscurity doesn't work" mantra just because it is a mantra - people seem to just repeat it, without backing it with any examples. In some cases it's obvious, but in some - it is not. Just wanted to clarify that.
  • ... missed both UNIX and BSD.

    Now what except the GUI is so specific to OS X that one may write an article related to security without at least touching the root(s).

    CC.
    • Snippets from the article: ..."system's FreeBSD foundation"...
      and ..."the Unix-based Mac OS X system"...
      and ..."not the same as the Unix 'root' account password"...

      You must be referring to the *original* article... the first makes no reference to BSD or UNIX. Based on that, I wholeheartedly agree with your assessment - I do not think that the original author had a real understanding of OS X, BSB, UINX, or for that matter, even Windows.

      We would never actually read a serious article of this nature because
      • I do not think that the original author had a real understanding of OS X, BSB, UINX, or for that matter, even Windows.
        Oh, there are plenty of other OS's he probably didn't understand, like AimgaOS, BoES, Solairs, NQX, or even Windows PX. :)
    • your word-search sucked.

      Unlike Windows, Mac OS X requires an administrator password to change certain configurations, run the system updater, and when installing new software. From a security perspective, this is another example of how Apple takes a proactive approach to system-level security. If a virus, remote hacker, or co-worker tries to install or reconfigure something on the system, theyre stymied without knowing the administrators password stored in the hardened System Keychain. (

      Incidentally, this

  • "... the problem."

    A blog entry [bynkii.com] (not mine) on the subject.

    Enjoy.

  • From the article:
    In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?
    Sounds very [verge.co.za] familiar...
  • The wierd thing... (Score:3, Insightful)

    by stuffedmonkey ( 733020 ) on Monday December 15, 2003 @02:51PM (#7727402)
    is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly. Wasn't the army using a few G4 towers with Webstar as html servers? I wouldn't go back to 9 from 10.3 - but it was amazingly secure.
    • by Graff ( 532189 )

      Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly.

      The classic Mac OS's did have vulnerabilities, but they were not well-documented and sporadic. In certain places bad coding produced code that was vulnerable to buffer overflow exploits. However, those are difficult to use under the best of circumstances.

      Because Mac OS did not run on x86 hardware it had a different stack struc

    • by Trurl's Machine ( 651488 ) on Monday December 15, 2003 @03:55PM (#7728057) Journal
      is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly.

      You can see one anytime you want by just checking this test [u-struct.com] site. It works in a similar way as the infamous autostart worm [llnl.gov] that plagued MacOS Classic machines. The vulnerability works as follows:

      1. You click on a link on a website like the above. It starts to download a stuffit-packed disk image to your desktop [without asking; that's the default configuration]
      2. Stuffit unpacks and mounts the image [without asking; that's the default configuration]
      3. Classic QuickTime sees a newly mounted image and initiates Autostart procedure [DEFAULT CONFIGURATION!]
      4. Bingo - you allowed a remote source to execute arbitrary code on your system; and even under MacOS X, it started as a Classic layer process so it runs actually as root

      The test site "attacks" you only with a very simple AppleScript applet that only opens your trashcan and that's it. But just think of the possibilites for a really malicious use. It was a very severe vulnerability for all vanilla-configured MacOS 9 (and earlier) machines; but unfortunately, also MacOS X machines with their Classic layer configured as the vanilla MacOS 9 were affected. THIS INCLUDES the MacOS X 10.3 "Panther". In fact, Classic layer always was and still is the biggest security hole in MacOS X, but that's another story. Anyway, Apple was crazy to provide Autostart option in QuickTime (who needs it, anyway?) but it was even more crazy to provide it as the DEFAULT configuration.
  • It was the content. He didn't understand the problem, the overblew it beyond any comprehension and he attempted to find an equivalence between the issue and the base, core problems with Windows as far as security. The fact that he ladled his ridiculously stupid "commentary" with a kid burning ants gleefulness was just a capper.

    That people pay him money to spew out crap like that (and that other people that are supposed to be fact-checking/editorially judging are as well) is truly depressing.

  • Are there *any*? With a generic default install of 10.3 (plus net connection), are there any remote exploits? I'm guessing that any exploit that has been found is due to 3rd party software.

    Are there any viruses/trojans for OS X?

    I know there was the ssh deal a while back, but does anyone know of any remote r00ting of an OS X box anywhere?

  • by The Lynxpro ( 657990 ) <lynxpro@@@gmail...com> on Monday December 15, 2003 @03:00PM (#7727486)
    I think Apple has shown the way Microsoft should follow if they wish to bring security and stability to the Windows platform. Apple migrated over to the underpinnings of BSD without compromising the distinctness that only Apple brings to the table. If Microsoft truly cared about "trustworthy computing," they'd shift their gears and concentrate on gluing the Windows GUI and other applications to whatever BSD platform they chose to annoint. After their acquisition last year (the VirtualPC crew), Microsoft has the talents necessary to bring decent emulation of older Windows flavors to their new products. But apparently they [Microsoft] are too stubborn for their own good. It sounds like Longhorn will now be delayed until 2006 or 2007, and every year they slip, the more people and institutions will slip away to Linux and OS X for the very ideal of "trustworthy computing" they profess. Windows is broken as an OS, but as a GUI "bundled" on top of BSD, it would prove to be the magic Microsoft's shareholders are now searching for. And since Microsoft has been infusing SCO with cash, Microsoft would be "safe" from any litigation from SCO in regard to BSD or Linux...

    • by zgwortz962 ( 641208 ) on Monday December 15, 2003 @03:38PM (#7727892)
      Honestly, Microsoft trying to put a Windows GUI on top of BSD is probably a bad move for them. The problem, as is always the issue with new OSes, is drivers.

      Apple was able to get away with Mac OS X on top of BSD, using their own modern driver architecture (IOKit) because they had a relatively small hardware subset that they had to support (and you'll note they didn't even *try* and support a whole bunch of their older machines...). And it still took them 4 years to get the first version out the door.

      For Microsoft to to the same thing would be tons more complicated, given the ungodly amount of hardware they have to support.

      (Drivers are the long term bane of Linux and BSD as well -- The Linux driver model is, IMHO, a horribly antiquated mess needing a complete tear out and replacement. It's not going to get that anytime soon for the same reasons outlined above - too many new drivers to support. I'm not familiar with the BSD model, but if it's anything like the over 20 year old UNIX device model, I'm *very* glad Apple chose to use IOKit instead...)

      IMHO, if Microsoft wants to produce a truly stable OS, they need to tear their kernel development away from the rest of the OS, and put everything else (especially IE) in a nice isolated sandbox. I would say the vast majority of Windows security holes are there because MS tries to integrate way too much high level functionality into the core OS.

      Of course, if they do that, then they risk people adding their own sandboxes on top of their core OS (like Java...) and losing control of the application developers who currently are slaved to that highly integrated high level functionality...
    • It is not the kernel that is the problem. It _is_ the GUI. NT's kernel is just as good as Darwin as it shares almost the entire design methodology. All the insecure stuff exists in userland (IE, ISS, Outlook, MS scripting, MSSQL, COM, and so on) As was haughtily brought up in the rebuttal was that by default most services are off in OSX. (Of course I fail to see how either OSX or windows are better than Linux or BSD in this regard.) Changing kernels isn't going to stop the nearly twenty years of unaud
  • This at least had some bullets that backed up the statements.

    The PC Mag article read as a 'neener neener neener I hate you' article vs. something with content.

  • by nv5 ( 697631 ) on Monday December 15, 2003 @03:08PM (#7727575) Homepage Journal
    One of the great breakthroughs in safety design came when ships started to be built with compartments, which would prevent a single hull puncture to sink the whole ship. (Sadly the Titanic's compartments were all aligned in one dimension, so when the puncture was very long, it compromised all compartments).

    One of my greatest concerns with MS attitude towards design of their "ships", especially Windows and Office is, that they are integrated way too much. So any security "puncture" spills over way too easily into the rest of the ship. As a very annoying side effect, one ends up re-booting for way too many MS patches. Why should I have to reboot, if I patch my browser or e-mail client?

    Of course, MSIE, Outlook and MS Office vulnerabilities have been a lot less worrying for me, since fully switching to Mozilla and OpenOffice over a year ago!
  • a few things (Score:5, Insightful)

    by BigBir3d ( 454486 ) on Monday December 15, 2003 @03:10PM (#7727589) Journal
    Firstly, my new office machine is a Dell with XP Pro. My home machines are iBook with 10.3, and a ThinkPad with Mandrake 9.x (uptime near 60 days now). All 3 are stable machines that do what I want, when I want. The Thinkpad was the #1 machine until I had enough scratch to buy the iBook (apple.com does nice refurb sales from time to time). When sobig and the other malicious worms of 2003 came out, my office was all win98 machines, and a NT 4.0 server. Due to reading /. and using Norton Antivirus, the only machine affected by the onslaught were the machines I was not "allowed" to touch (#1 computer guy {I am the secondary guy}, and the owner of the company {"I did that already"}. In short, you can run any of these machines safely, with most all of the latest software. It just helps if you are not an idiot.

    PEBKAC
  • I Use, Run and Endorse OS X Server. For home and office use. I was co-incidentally running a Lab similar to that root exploit and guess what OSX is a ::real unix:: it has an exploit. I couldn't replicate because I use Kerberos. But this is the first and only time that I have had my development box (OBJ C / Java), Workgroup Server AND desktop on the same HW. with no loss of data in about three years.
    In three years M$ will come out with supposedly secure computing, with more of an eye toward how to KEEP
  • by Micro$will ( 592938 ) on Monday December 15, 2003 @03:21PM (#7727689) Homepage Journal
    To: Richard Forno
    From: Lance Ulanoff
    Subject: Re: Mac Security

    YHL YHBT HAND
  • And I read the original article in the magazine when I got it. Contrary to the rebutters opinion, I did't see the article as "muckraking". The author may not be as well informed as he should be. Pointing out that a simple firewall is enabled by default and that changing system settings is more difficult in Mac OS X would have gone a long way toward mitigating this kind of response, but certainly would not have eliminated it. I get the feeling that merely suggesting that Mac OS X feels less pain from viruses
    • I get the feeling that merely suggesting that Mac OS X feels less pain from viruses, trojans, and other nasties in part because it has a smaller market share would result in this sort of response

      So is Mac OS X less of a target because of smaller market share? Yes.

      The original authour, like yourself, is confusing 2 things here, and this is why you see so many rebuttals to these sort of comments. A larger market share makes anything a bigger target. Duh. Anyone can figure that out. The problem is, it's a
  • by andman42 ( 721375 ) on Monday December 15, 2003 @03:27PM (#7727767)
    Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."

    That is true, right now, but it is not a fair comparison.

    Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.

    So comparing anything to an admittedly weak and insecure operating system is just plain silly. Everyone knows Windows is insecure. Saying MacOSX is more secure than Windows means nothing, and in fact makes OSX security look comparable to that of Windows when in fact it is far better (regardless of what that PCMagazine moron wants to believe).

    So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).
    • by danigiri ( 310827 ) on Monday December 15, 2003 @03:51PM (#7728034)
      Look, I'm no MS fan, but they have not released an operating system since they started their "trustworthy" initiative. The Windows operating systems being discussed are old (WinXP came out in 2001), and obviously full of holes--so full of holes that MS had to start this whole focus on security.

      XP might be old, but it is what people are allowed to buy *now*, so your point does not apply. It is insecure *now* and it is being sold *now* (read, not discontinued or the like).

      So, how about we give MS a chance and at least wait for them to release an OS under their "secure by design, default, and deployment" banner before we start ripping it. We may be pleasantly surprised (although I doubt it).

      I have just installed a network of computers, loaded with MS software I just bought. I need to be secure now, not in 2-3 years time.

      dani++

  • Yeah yeah. (Score:5, Informative)

    by mindstrm ( 20013 ) on Monday December 15, 2003 @03:28PM (#7727782)
    My summary of the situation:

    - Nothing is totally secure, if it's at all useful.

    - Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.

    - OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.

    - Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"

    The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.

  • by Salvo ( 8037 ) on Monday December 15, 2003 @03:37PM (#7727876)
    I recently switched to MacOSX from BeOS. In my experience chatting to the Mac Community out there, they are not more fanatical than Any other Community. I've know Car Clubs who are more obsessive than the Macintosh Community.

    The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics. For whatever reason, these individuals *hate* Macs. Not just Dislike Macs, but actively *hate* them, with a passion remeniscant of Religious Fundamentalists.

    People who rebute these AntiMac Fanatics are Labeled Mac Zealots. This is only a half truth, they are really just qualifiers of the AntiMac FUD.

    Anti-OS sentiments aren't restricted to MacOS, though, There are plenty of AntiMS, AntiLinux, AntiBSD and Anti[insert favourite OS here] Fanatics. Are you one of them?
    • The only fanatics I've ran accross in the MacOSX World are the AntiMac Fanatics.

      There's some kind of fundamental truth there. For example: I was a vegetarian for a decade, and during that time I noticed there was a type of person who looked upon my eating habits as a personal attack. These people would try to drag me into an argument about how I wasn't enough protein, etc. I realized I couldn't win: If I shrug it off, I'm a mindless cultist. If I try to disabuse them of their notions, I'm a fanatic.

      Later

  • by Zwoop ( 35471 ) on Monday December 15, 2003 @03:39PM (#7727907) Homepage
    I still don't understand why this security "hole" got so much attention... Are people struggling to find problems with MacOSX? First of all, attacks like this is nothing new, just remember the old YP/NIS problems with broadcasting for the server, to mention just one example.

    Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:

    5. Security considerations

    Security considerations discussed in [3], particularly with respect to the
    provision of authentication information, are directly applicable here.
    Additionally, it should be noted that providing LDAP server information by
    a broadcast protocol such as DHCP may allow unauthorized clients to learn
    the location of and authentication information for LDAP servers and hence
    pose as valid clients. This presents a security problem when sensitive
    information, such as user passwords, is published via LDAP servers.

    The DHCP protocol provides no mechanisms for the client to verify the
    validity and correctness of the received information. The security
    considerations in [1] discuss several weaknesses, particularly the problem
    with unauthorized DHCP servers.


    This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...

    -- Leif
  • notice how the pro PC article just rails on and on about the security flaw, but doesn't mention that there isn't any malware going around to exploit it like in windoze. and how it was fixed promptly within a week. and even if there was malware, how far could it really go in a *nix environment????
  • I said it... (Score:5, Insightful)

    by daveschroeder ( 516195 ) * on Monday December 15, 2003 @05:24PM (#7728917)
    ...once [slashdot.org], Apple said it [apple.com], and advertized it [apple.com], but I'll say it again:

    This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme. [There is a certain level of implicit trust of the local network that is assumed.]

    This functionality - yes, functionality - has been in Mac OS X and its predecessors for YEARS. Just because all of a sudden someone paints it as a root exploit does not make it so. This is nothing like the standard fare of Windows remote exploits, some of which can be exploited against unpatched machines from any location on earth, at will, remotely, at any time, against any unprotected vulnerable machine. This "exploit" requires that a roque DHCP server be set up on your local network (!), and that a machine be rebooted (or otherwise perform a DHCP request) in this malicious environment. I repeat: just calling something a root exploit does not make it so.

    Perhaps it's time to have a larger discussion about how much you can really trust your local network infrastructure services, be they in a home environment or in a corporate setting, because that's what this is really about.

    Should Mac OS X have this default behavior?

    What are the tradeoffs?

    And so on.

    I just find the distinct lack of understanding of this issue astounding.

    (Note: and no, this isn't an issue of Apple glossing over something by calling something a "feature" when it's really an "exploit", as you could argue for some of MS's exploits. This really is a feature, and one that can be taken advantage of by rogue services on your network...like just about anything can in one way or another. If you're being affected by this so-called "exploit", you've got bigger problems on your hands...)
  • by dfj225 ( 587560 ) on Monday December 15, 2003 @06:15PM (#7729458) Homepage Journal
    Is how many people, when they write about OS X credit Apple with coming up with the secure design or other features. If anyone should be credited, it should be the people who develop FreeBSD, because that is the real reason why OS X is secure.
    • by sakusha ( 441986 ) on Monday December 15, 2003 @07:18PM (#7730032)
      You are right, BSD developers deserve credit. But you missed one extremely obvious point: that includes Apple. Apple's programmers contributing BSD code back to the source tree. Apple's efforts have brought more users and more programmers to BSD than ever before. Apple is the largest Unix vendor in the world.
  • by joebeone ( 620917 ) on Monday December 15, 2003 @07:32PM (#7730168) Homepage
    Sorry if this is redundant... new vulnerability posted to bugtraq... and you got to love the banter ("It appears that parts of MacOSX that didn't come from BSD are not very well written and have significant security issues."):

    http://www.securityfocus.com/archive/1/347578 [securityfocus.com]

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...