The Truth on OS X Security?

[TigerPRO]

As some of you are probably aware, there are two camps when it comes to beliefs about OS X security. One says that's it's just as insecure as Windows, but do to it's limited popularity, those problems aren't accentuated nearly as much. The other camp says that OS X is far more secure than Windows, and would remain so even if it was as popular as Windows.

My question is, does anyone have any insight into this matter for me? If you've read any good articles about OS X security, please pass them on for me. I'm in a desperate attempt to find the answers. But as of now, I'm on OS X's side of course. lol.

Andrew

 

[IJ Reilly]

This article debunks the claim that all OSs are created equally:

http://www.theregister.co.uk/content/4/34554.html

 

[miloblithe]

Although the obscurity arguement makes sense, I'd have to think that the "smugness" arguement serves as something of a counter. It's true that a Windows virus will have a wider impact and be more fun for its propegator, but all those Mac fans bragging about the security of their systems would have to serve as motivation for a virus programmer wanting to prove them wrong.

That said, I think the answer is both: Macs benefit from having a far more secure OS, and from being a far smaller target.

 

[zimv20]

the way i see it: unix grew up as an OS featuring multiple users and levels of permissions. it was also much more network central (and still is) and is often machine-independent, user-wise.

windows has always been based on the idea of a single user dedicated to a machine. of course, MS has taken long strides in retrofitting this model to a more unix-like model. but i see that retrofit as error-prone. other bad windows-like habits: doing all work as administrator, one-account machines defaulting to login screen disabled, distributing apps as executables.

also, historically, unix users are better trained at security. how the sudden influx of new unix users (i.e. osx) who are used to one-machine one-user affects this remains to be seen. home users have developed some pretty bad habits.

 

[bousozoku]

Coming from the world of big machines, I find UNIX to be reasonably secure by design and Windows to be an accident waiting to happen. Design by compromise is risky at best.

The thing about Mac OS X is that UNIX was never meant to be a desktop operating system, even when it ran on small machines such as the DEC PDP-7 and PDP-11 in the beginning. Mac OS X creates virtual teletype terminals (tty) each time you log into the machine or create new windows using Terminal, which log you in quietly.

There is a great risk, if someone cared enough to write a virus to exploit the lack of anti-virus software users on Mac OS X. The good thing is that everyone's so busy exploring and having fun and doing work, they don't have time or need to write a virus.

However, there aren't many security issues to attack and Apple has been fairly quick to handle them. Generally, the fixes have been available in the open source world and just need to be adapted to Apple's version of the same software. The recent QuickTime bug is not one of those, of course, and Apple needs to handle it, even if it is unlikely to be exploited.

I'd like to see more of a security infrastructure implemented in Mac OS X so it can go into bigger networks where trust is a must and encryption is life or death.

 

[JFreak]

unix is secure enough - for a normal user it is almost impossible to mess the whole system. in osx the superuser is disabled by default, and for every installation the os asks for admin password. of course, unix can and will be hacked too, but it is far more difficult than screwing up a windows pc.

nowadays most viruses spread via network, and the windows pc has "doors wide open". these little things called "ports" are shut by firewall in osx, and you need to explicitly tell system which ports you wish to be open. if no ports are open, nobody can come in - it's that simple.

greatest threat in unix systems is social hacking. it's far too easy to get some person to reveal his password and once this is done, that user is vulnerable. but only that user, not the operating system or other users. the same goes to windows users, which are by the way even more eagerly giving their passwords for anyone that claims to be it staff.

 

[MisterMe]

As some of you are probably aware, there are two camps when it comes to beliefs about OS X security. One says that's it's just as insecure as Windows, but do to it's limited popularity, those problems aren't accentuated nearly as much. The other camp says that OS X is far more secure than Windows, and would remain so even if it was as popular as Windows.

My question is, does anyone have any insight into this matter for me? If you've read any good articles about OS X security, please pass them on for me. I'm in a desperate attempt to find the answers. But as of now, I'm on OS X's side of course. lol.

Andrew

The "security through obscurity" defense was conjured up in the 1999 time frame by Microsoft and its fellow-travelers in response to the dramatic increase in viruses back then. Faced with the realization that it really couldn't fix the situation, Microsoft claimed that the large number of viruses and other vulnerabilities affecting its products were due to their popularity. I always called it "The Whore's Defense": "I'm not a whore, I'm just popular."

There was no evidence to support the assertion, but it was easier for a lot of Windows proponents to accept than the notion that their favorite system was inherently insecure and that there was precious little that could be done to rectify the situation. Now Microsoft and its apologists are faced with a more daunting fact. The number Windows exploits are being discovered faster than they can be fixed, but there are zero (0) MacOS X-specific viruses. So what is their response to this fact? They warn us in ominous tones that it is all a matter of time. The MacOS X viruses are coming. We will speed their arrival if we continue to proclaim that they do not exist. Could you imagine if we applied this logic to other endeavors? Weapons of mass destruction in Iraq? Let the Bush opponents continue to deny them and warehouses of WMDs will be found. Left-handed monkey wrenches? Deny them only to find a discount hardware superstore selling them like hotcakes. Ghosts and goblins? Continue to claim that they don't not exist and they will have their own TV show on FOX.

They call us smug. They call us zealots. But, they maintain undying faith in that which does not exist. Don't be angry with them. Pity them because they are the less fortunate.

 

[Fukui]

Coming from the world of big machines, I find UNIX to be reasonably secure by design and Windows to be an accident waiting to happen. Design by compromise is risky at best.

The thing about Mac OS X is that UNIX was never meant to be a desktop operating system, even when it ran on small machines such as the DEC PDP-7 and PDP-11 in the beginning. Mac OS X creates virtual teletype terminals (tty) each time you log into the machine or create new windows using Terminal, which log you in quietly.

There is a great risk, if someone cared enough to write a virus to exploit the lack of anti-virus software users on Mac OS X. The good thing is that everyone's so busy exploring and having fun and doing work, they don't have time or need to write a virus.

However, there aren't many security issues to attack and Apple has been fairly quick to handle them. Generally, the fixes have been available in the open source world and just need to be adapted to Apple's version of the same software. The recent QuickTime bug is not one of those, of course, and Apple needs to handle it, even if it is unlikely to be exploited.

I'd like to see more of a security infrastructure implemented in Mac OS X so it can go into bigger networks where trust is a must and encryption is life or death.

My feeling is, as long as apple doesn't attack Linux or Open source, they'll avoid 90% of the stuff out there...IMHO of course...

 

[bousozoku]

My feeling is, as long as apple doesn't attack Linux or Open source, they'll avoid 90% of the stuff out there...IMHO of course...

That's probably true. However, there are some people who feel that, just by using open source and not giving away Aqua and other premium items in Mac OS X, that Apple are evil. Thankfully, those people hate Windows and Microsoft more than Mac OS X and Apple.

 

[davecuse]

My feeling is, as long as apple doesn't attack Linux or Open source, they'll avoid 90% of the stuff out there...IMHO of course...

OS X is based on Open Source, FreeBSD to be exact. Apple and all of us benefit from having the core of the operating system available to developers who instead of creating a virus to expose a flaw, can look at the source code and show the world how to resolve the problem.

There is not a lot of financial motivation behind virus writing, as far as I can tell, there is however some gain to be seen from learning how to understand and alter the core components of an operating system.

I do tech support for a Windows based software company, and I cannot begin to describe how many people I talk to that have gaping security holes in their OS. The percentage of people who actually download and install updates is amazingly small. As far as MS is concerned there are no "security flaws" just "connectivity features".

 

[crenz]

My feeling is, as long as apple doesn't attack Linux or Open source, they'll avoid 90% of the stuff out there...IMHO of course...

Why do people think that these viruses stem out of the Open Source community? It's not a thing backed by the community, it used to be something done by individuals.

There is not a lot of financial motivation behind virus writing, as far as I can tell

The renowned German magazine c't has recently discovered that there are links between virus writers and spammers. Nowadays, most spam seems to come from hijacked Windows machines.

 

[briankonar]

home users have developed some pretty bad habits.

i'm curiousto know what some of these might be? i'm a single user of my computer coming from a windows environment, and am curious how i could be a little safer with my comp (not that i need to be, but you never know). Are you referring to just keeping your computer password protected etc and not d/l'ing unknown/unwanted files? That's all pretty standard as far as any home user (of minimal intellect at least) is concerned.

I'd be curious to know what steps people take to secure their systems? Additional Firewalls or modifications to OS X's firewall?
Anti Virus software, Disk Repair Utilities, etc?
Backups to...(insert media of choice, and reasoning preferably)?
anything else that i'm not even aware of?

 

[davecuse]

The renowned German magazine c't has recently discovered that there are links between virus writers and spammers. Nowadays, most spam seems to come from hijacked Windows machines.

That's a good point. On a different rant... it baffles me that spammers actually make money. I guess there really are some "less than intelligent" people out there who get spam in their inbox and actually buy a product. I just don't get it, why would that ever sound like a good idea? Oh this guy hikacked my email from a less than reputable source, let me give him my credit card number!

 

[Fukui]

Why do people think that these viruses stem out of the Open Source community? It's not a thing backed by the community, it used to be something done by individuals.



The renowned German magazine c't has recently discovered that there are links between virus writers and spammers. Nowadays, most spam seems to come from hijacked Windows machines.

I didn't say the open source community, but there are, I'm sure "zealot" people that make a bad name for Open Source (Something - open source - I think is great BTW). Nobody in thier right mind thinks writting virus' are good, but those few who do write them think so I'm sure. Its possible spammers are related to virus writters, but really, how hard is it to get a cheap white box, setup sendmail and spew out junk to whatever email address you want? Why tie your company to a virus and possibly get into trouble?

 

[Westside guy]

i'm curiousto know what some of these might be? i'm a single user of my computer coming from a windows environment, and am curious how i could be a little safer with my comp (not that i need to be, but you never know). Are you referring to just keeping your computer password protected etc and not d/l'ing unknown/unwanted files? That's all pretty standard as far as any home user (of minimal intellect at least) is concerned.

Well, the standard one that gets a lot of people is having an administrator account with no password. Most people shouldn't (and don't really need to) run as administrator all the time - but if you do, then at least password-protect it! You'd think this would be self-evident, but we (I work in the computing section at a large university) seem to run into "owned" boxes quite frequently - and often this is the culprit. BTW Windows XP Home has a semi-hidden administrator account, which by default has no password.

OS X is significantly more secure in this regard, since it follows the Linux/BSD "sudo" type rules which require you to enter your password before performing admin-level tasks.

Also, as a Windows XP user you should enable the built in firewall. This will shield you from the worst of the big exploits like DCOM or SQL-Slammer. If necessary, you can open up ports as needed.

Another step you can take is to use an e-mail client other than Outlook or Outlook Express. These programs are insecure by design.

Finally, consider using a browser other than IE. It's bad enough to have a browser that's hooked into the core OS; but to enable things like ActiveX as part of it is just waiting for exploits to hit.

 

[zimv20]

Are you referring to just keeping your computer password protected etc and not d/l'ing unknown/unwanted files?

that's a good start. for windows machines (some aren't windows-specific, i know), i recommend:
- making your daily account not have administrator access
- closing unneccessary ports
- if on broadband, running w/ a router w/ a firewall
- being diligant about running windows and office updates
- ensuring norton anti-virus (or such) is always running
- using strong passwords

there are additional steps that i don't take, 'cuz it's a pain, like turning off javascript, disabling cookies, frequently changing passwords, et. al. but every little bit helps.

about once a month, i get a call from someone who says essentially this: "i'm running windows 98 as administrator w/o any virus protection on a PC connected directly to the cable modem, and i opened an email attachment from someone i don't know. now i can't do anything."

 

[zimv20]

I didn't say the open source community, but there are, I'm sure "zealot" people that make a bad name for Open Source (Something - open source - I think is great BTW). Nobody in thier right mind thinks writting virus' are good, but those few who do write them think so I'm sure. Its possible spammers are related to virus writters, but really, how hard is it to get a cheap white box, setup sendmail and spew out junk to whatever email address you want? Why tie your company to a virus and possibly get into trouble?

w/in the past couple months, the NYT ran a really interesting article about who actually writes these things. the eye-opener is that this is not the group that releases them. the first group publishes their findings of security flaws and details of how to exploit it and actually informs security companies like symantec of what they've found. then the much-derided "script kiddies" pull that info off the web and release the worms/virii/etc.

the article highlighted some people in germany in other parts of europe (the virus creators), who cite freedom of speech and free exchange of information as their protectors. they don't advocate releasing what they've written, but proclaim their innocence if their creation is released by someone else.

 

[Makosuke]

Its possible spammers are related to virus writters, but really, how hard is it to get a cheap white box, setup sendmail and spew out junk to whatever email address you want? Why tie your company to a virus and possibly get into trouble?

Not possible, the link is definite and established.

Yes, it's cheap to buy a low-end PC, hook it to broadband, and start spewing spam, but then your crap is traceable and any decent ISP will shut you down in a matter of minutes. You can only isp/webhost hop so long before somebody sues you (after all, you had to pay to sign up--unless you use a stolen credit card, which many spammers do) or you run out of high speed access. A much more efficient alternative is to anonamously hijack computers and make them do the dirty work for you.

You're forgetting that the spammers we all hate are already breaking the law--most spam is fradulent anyway--so the people doing it care little about image or legality. It's not like they're companies on the NASDAQ, they're slimy con-artists working out of their suburban homes trying to swindle money from idiots.

 

[Fukui]

Not possible, the link is definite and established.

Yes, it's cheap to buy a low-end PC, hook it to broadband, and start spewing spam, but then your crap is traceable and any decent ISP will shut you down in a matter of minutes. You can only isp/webhost hop so long before somebody sues you (after all, you had to pay to sign up--unless you use a stolen credit card, which many spammers do) or you run out of high speed access. A much more efficient alternative is to anonamously hijack computers and make them do the dirty work for you.

You're forgetting that the spammers we all hate are already breaking the law--most spam is fradulent anyway--so the people doing it care little about image or legality. It's not like they're companies on the NASDAQ, they're slimy con-artists working out of their suburban homes trying to swindle money from idiots.

I like your description.
But yea, I tend to agree, they don't have much to lose do they?
But do you think they are the original authors or do they use some code already out there?

 

[SiliconAddict]

Why do people think that these viruses stem out of the Open Source community? It's not a thing backed by the community, it used to be something done by individuals.

Ya but it’s a pretty good bet that those individuals are pro open source *nix users. Look at the Mydoom virus that targeted SCO's website. Look at some of the other variants that target Microsoft's website. Don't tell me that these are pro Microsoft users who are looking for kicks on a Friday night.

 

[j33pd0g]

I never want to get the feeling that I got my money's worth out of OS X virus protection software. However, I'd gloat by saying: I run that .mac Virex freebie when I'm board.

 

[IJ Reilly]

The "security through obscurity" defense was conjured up in the 1999 time frame by Microsoft and its fellow-travelers in response to the dramatic increase in viruses back then. Faced with the realization that it really couldn't fix the situation, Microsoft claimed that the large number of viruses and other vulnerabilities affecting its products were due to their popularity. I always called it "The Whore's Defense": "I'm not a whore, I'm just popular."

There was no evidence to support the assertion, but it was easier for a lot of Windows proponents to accept than the notion that their favorite system was inherently insecure and that there was precious little that could be done to rectify the situation. Now Microsoft and its apologists are faced with a more daunting fact. The number Windows exploits are being discovered faster than they can be fixed, but there are zero (0) MacOS X-specific viruses. So what is their response to this fact? They warn us in ominous tones that it is all a matter of time. The MacOS X viruses are coming. We will speed their arrival if we continue to proclaim that they do not exist. Could you imagine if we applied this logic to other endeavors? Weapons of mass destruction in Iraq? Let the Bush opponents continue to deny them and warehouses of WMDs will be found. Left-handed monkey wrenches? Deny them only to find a discount hardware superstore selling them like hotcakes. Ghosts and goblins? Continue to claim that they don't not exist and they will have their own TV show on FOX.

They call us smug. They call us zealots. But, they maintain undying faith in that which does not exist. Don't be angry with them. Pity them because they are the less fortunate.

I just wanted to say, this is a wonderful rebuttal to the logic of FUD. It should be made into a poster and hung on the wall.

 

[stcanard]

that's a good start. for windows machines (some aren't windows-specific, i know), i recommend:
- making your daily account not have administrator access
[snip]

This is an interesting part, and speaks to one of the largest problems MS will have to fight in their uphill battle -- culture

I'm a long time unix geek, so when I installed Win2k on a home computer I automatically created two accounts, one admin, and one completely unpriviliged.

[side note -- I didn't create a "power user" because nowhere could I find a concise definition of what permissions a power user was given, so I couldn't even determine the security risks. Strike one]

I very quickly found out it is incredibly frustrating and almost impossible to run as anything other than admin (or, I presume, power user). A huge amount of sofware absolutely requires admin, for no particular purpose. Off the top of my head:

1) My HP scanner software (yup, non-admins couldn't scan)

2) Palm desktop -- now I understand why the hotsync manager has to be run as admin, but the desktop portion?!?!

3) Microsoft Word! -- admittedly it was an older version (word 98 I think), but not so old that NT4 hadn't already existed. I either had to run it as admin, or grant world write permission to my system32 directory!

4) ICQ -- yup, no IM if you're not an admin

Until MS educates their ISV's to recognize the security implicatations and build the software correctly for multi-user machines they are going to have a virus and worm problem. Heck, I even got to the point of considering saying to hell with it and just making my account an admin.

OSX, OTOH, with the "administer via sudo" concept does a pretty good job of avoiding the virus and worm issue even if your day to day account does have admin priv, and now can concentrate mainly on trojans.

 

[jxyama]

Don't tell me that these are pro Microsoft users who are looking for kicks on a Friday night.

i won't, but a bunch over at /. will tell you something else about those virus writers being open source advocates.

 

[wrldwzrd89]

This is an interesting part, and speaks to one of the largest problems MS will have to fight in their uphill battle -- culture

I'm a long time unix geek, so when I installed Win2k on a home computer I automatically created two accounts, one admin, and one completely unpriviliged.

[side note -- I didn't create a "power user" because nowhere could I find a concise definition of what permissions a power user was given, so I couldn't even determine the security risks. Strike one]

I very quickly found out it is incredibly frustrating and almost impossible to run as anything other than admin (or, I presume, power user). A huge amount of sofware absolutely requires admin, for no particular purpose. Off the top of my head:

1) My HP scanner software (yup, non-admins couldn't scan)

2) Palm desktop -- now I understand why the hotsync manager has to be run as admin, but the desktop portion?!?!

3) Microsoft Word! -- admittedly it was an older version (word 98 I think), but not so old that NT4 hadn't already existed. I either had to run it as admin, or grant world write permission to my system32 directory!

4) ICQ -- yup, no IM if you're not an admin

Until MS educates their ISV's to recognize the security implicatations and build the software correctly for multi-user machines they are going to have a virus and worm problem. Heck, I even got to the point of considering saying to hell with it and just making my account an admin.

OSX, OTOH, with the "administer via sudo" concept does a pretty good job of avoiding the virus and worm issue even if your day to day account does have admin priv, and now can concentrate mainly on trojans.

Oh dear!!! Windoze has some severe BUILT-IN security deficiencies that are essentially only fixable with new software (that doesn't need admin priveleges to run) and a new version of Windows (that doesn't rely on the admin account with no password). However, even that might not be enough - Windoze may need to be scrapped completely and replaced with a UNIX derivative to equal Mac OS X on security terms. Stcanard is correct regarding OS X and Trojan horses; even with the administration system that OS X provides, a Trojan horse program can still cause problems (in whatever limited way OS X allows, of course).