MAC OS security issues?

bigred · 15th September 2009, 09:32 AM

I've always heard only PCs have so many security issues and MAC was this near-flawless OS security wise......?

http://blogs.zdnet.com/security/?p=4276&tag=nl.e550

GreNME · 15th September 2009, 09:57 AM

This isn't big news. Mac OS has been updating with security patches for years, and for the last year and a half there have been small cases of trojans in the wild.

OS X is an operating system like any other: there will always be things needing to be patched, and more often than not the biggest security hole is the person at the keyboard/mouse.

Lothian · 15th September 2009, 10:35 AM

I had to patch my mac last year and replace two buttons.

Epok · 15th September 2009, 10:38 AM

I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs?

GreNME · 15th September 2009, 10:45 AM

The debate with your friend is a very subjective issue. Some would say they're the same to write for, some would say PCs are easier, and some would say Macs are easier. That debate is predominately hedged on opinion.

Epok · 15th September 2009, 11:27 AM

Originally Posted by GreNME

The debate with your friend is a very subjective issue. Some would say they're the same to write for, some would say PCs are easier, and some would say Macs are easier. That debate is predominately hedged on opinion.

That does make things interesting because if there are actually people who say that it's easier to write viruses for Macs then that kinda blows away his argument that its nearly impossible to do it on a Mac.

Ducky · 15th September 2009, 11:40 AM

Originally Posted by Epok

That does make things interesting because if there are actually people who say that it's easier to write viruses for Macs then that kinda blows away his argument that its nearly impossible to do it on a Mac.

It is not impossible. It's easy if you hide your installer in an actual app's installer (see torrented versions of iChat, etc.)

GreNME · 15th September 2009, 02:50 PM

Originally Posted by Epok

That does make things interesting because if there are actually people who say that it's easier to write viruses for Macs then that kinda blows away his argument that its nearly impossible to do it on a Mac.

Impossible? Hardly. It sounds like the debate you guys are having is one of the average "OS Warz" battles that flare up now and again.

Nick Bogaerts · 15th September 2009, 03:46 PM

Originally Posted by Epok

I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs?

I'd say both aspects contribute to the relative paucity of Mac malware. There's certainly not as much to gain from OS X targeted attacks as there are from Windows ones, so less effort is put into it. That said, I believe there are architectural, organisational and cultural reasons why OS X is inherently more secure:

1 - OS X is based on Unix, which was designed as a multi-user timesharing system. Windows was built for single-user PCs. Unix was built with security in mind from the ground up, Windows had to have it patched on organically (Anyone familiar with Vista's UAC can probably tell you it's hardly elegant). In addition, the Internet was built on top of Unix - historically a large proportion of networking experts are Unix experts. The Internet was an afterthought bolted in Windows NT. Unix systems have it bred in. (Incidentally, the very first Web Server ran NeXTStep - a direct ancestor of Mac OS X). A Windows machine runs a lot more stuff with elevated privileges than your average Unix machine, things crackers can target. There are a lot more vectors of attack on a Windows platform as a result of its maladapted architecture.

2 - As a result of it's heritage, OS X has a lot of free software it inherited from *BSD. Free software is by nature more secure than its proprietary equivalent, because there's a lot more auditing done on it. Security by obscurity simply doesn't work. This only goes so far unfortunately, because Apple, like Microsoft, don't understand openness and are trying as much as they can do demolish their advantage in this area. Also, quite a few things on Macs comes from OpenBSD specifically (OpenSSH, for instance). Security wise, OpenBSD is the gold standard.

3 - Mac users are on average more sophisticated. Windows has more low-hanging fruits for malware writers to target. Because at the end of the day, a computer is as secure as it's user makes it. This is probably an argument more in your favour than in your friend's, though.

At the end of the day, no system is flawless. It depends a lot on the response of it's maintainers, because there will always be new vulnerabilities -- even my beloved Debian isn't immune to downright howlers. I don't know if Apple are any better than Microsoft at plugging vulnerabilities. They certainly ought to have less work, though.

GreNME · 16th September 2009, 03:00 PM

Nick, those are all fine points, but they reveal a bit of flawed understanding of the two operating systems from a comparative perspective. To each point:

Originally Posted by Nick Bogaerts

1 - OS X is based on Unix, which was designed as a multi-user timesharing system. Windows was built for single-user PCs. Unix was built with security in mind from the ground up, Windows had to have it patched on organically (Anyone familiar with Vista's UAC can probably tell you it's hardly elegant).

None of this is actually true from a technical perspective. The NT kernel and subsystems that versions of Windows since 2000 have run on were specifically designed as a multi-user network operating system. While flaws in approach could be stated (I often have gripes), the fact is that the core of Windows today was built specifically for multi-user environments. Further, Unix wasn't built from the ground up for security, either. It was built for multiple users to access from terminals and grew from there, just as fraught with bugs and bumps as any other operating system. It simply happens to have begun development decades earlier than the NT system.

And on an opinion level: I'm familiar with Windows UAC, and find it to be relatively unobtrusive. The reason I believe so many people have griped about it is due to the long history of Windows users being allowed to run with far too many privileges (despite there being user levels with appropriately safe permissions), and with the advent of Vista's UAC people who had previously had gotten comfortable with full access were confounded. I was not from the very start, and if anything this is because I was already familiar with operating system security and having to elevate privileges to make system changes, so UAC actually made it easier for me to do the same in Windows (which is far more evident when using a non-admin account and you get a credential prompt, and in a professional setting this is exactly what should happen to elevate privs).

Originally Posted by Nick Bogaerts

2 - As a result of it's heritage, OS X has a lot of free software it inherited from *BSD. Free software is by nature more secure than its proprietary equivalent, because there's a lot more auditing done on it. Security by obscurity simply doesn't work.

I'm sorry, but on a technical level I have to once again disagree strongly. There's very little actual useful software outside of the Darwin components that OS X has gotten from BSD, and while a lot of stuff out there can be recompiled under OS X (which I've done) that doesn't amount to what I'd call "a lof of" available software (I actually wish I could get a few things from Linux, personally). Additionally, just because a software is open source does not make it inherently more secure-- believe me, open source software has to be patched just as much as closed source software, and I've done so for both on a professional level. Finally, "security by obscurity" does work, it just doesn't work very well or for very long, and those in the specialty field of security will attest that while it's sometimes useful as a superficial first-layer type of security, it should never be counted on as the backbone. Neither OS X nor Windows use this method as the core of their security model (in fact, their security models are extremely similar).

Originally Posted by Nick Bogaerts

3 - Mac users are on average more sophisticated.

I actually laughed out loud when I read this. I really mean no offense by that, but the idea that Mac users tend to be more sophisticated just doesn't fly with me. I've done user support for both Mac and Windows computers, and the presentation of symptoms and understanding of how the system works tends to be very similar between the two groups. The only real difference I've ever noticed is that for the longest time Macs were a premium item and thus had a much more sparse base for technical support. As such, a lot of home users tended to be more aware of little tips and tricks, as well as some workarounds to common computer problems. As Macs begin gaining in market share their support base has increased (thus lowering the need for self-sufficiency), and with internet tips & tricks websites being so abundant the amount of lower-level information out there for solving nagging little problems has evened out considerably. But more importantly, the regular mantra of "it just works" that has been standard for Macs belies the falsehood of claiming that the users tend to be more sophisticated. If the system is made to function with less hassle or fiddling from the user, then there's actually less to be sophisticated about overall. While I'm sure this adds to the confidence level of the user to do things on their computer without fear of breaking something, this is hardly a measurably higher level of sophistication and is more likely a cultural affectation due to the perception of having fewer problems in general using the computer. I'm more than willing to posit that when it comes to general computing practices, Mac users and Windows users are likely about on par with each other.

But I do agree with you that, in the end, no system is flawless. My Mac gets just as many updates as my Vista desktop did (though I recently upgraded to Win 7, I expect the update cycle won't change drastically), and that's fine with me. A system that's being regularly patched and updated is a system that has a lower surface area for threats. Anti-malware software (now shipping with both Windows and OS X) adds another degree of protection, and 3rd-party antivirus can add yet another. Ultimately, though, there's not enough software in the world to protect a user from themselves, and time has shown that no matter what software or hardware is running on a system people can find ways to crack it and exploit it in ways originally unintended by the producers of the hardware/software. That's just the way computing is.

oldhat · 16th September 2009, 05:13 PM

OS X is far more hassle free and easy to use than Windows, as far as malware and viruses are concerned. I use both at work and at home and feel a dozen times more secure on the Macs doing things like surfing the web and opening email attachments.

Nick Bogaerts · 17th September 2009, 04:25 PM

Originally Posted by GreNME

None of this is actually true from a technical perspective. The NT kernel and subsystems that versions of Windows since 2000 have run on were specifically designed as a multi-user network operating system. While flaws in approach could be stated (I often have gripes), the fact is that the core of Windows today was built specifically for multi-user environments.

Up to a point. Though there's a hint of VMS in NT (which is a good thing), it had to keep ABI compatibility with its Windows 95 predecessors, which were hopeless security wise. And with a lot of deep calls at the wrong places (ActiveX, anyone?), which make equivalent security holes in Windows a lot more severe than in *NIX. There's a lot more of Win 95 in Vista than there is of Mac OS 5 in OS X. (And Mac OS 5 to 9 were possibly the most antiquated OSes ever - I had pre-emptive multitasking on my Amiga since 1985. It took PCs ten years to implement, and Macs fourteen)

Quote:

Further, Unix wasn't built from the ground up for security, either.

It's the other way round. Security was built from the ground up for Unix, then ported to Windows.

Quote:

It was built for multiple users to access from terminals and grew from there, just as fraught with bugs and bumps as any other operating system. It simply happens to have begun development decades earlier than the NT system.

A lot less bumps than almost any other. Not every system had the likes Thompson, Ritchie, Pike or Kernighan working on them.

Quote:

There's very little actual useful software outside of the Darwin components that OS X has gotten from BSD, and while a lot of stuff out there can be recompiled under OS X (which I've done) that doesn't amount to what I'd call "a lof of" available software (I actually wish I could get a few things from Linux, personally).

Half it's kernel, and its entire server stack are from the *NIX ecosystem. Security-wise, I'd much rather run Apache and MySQL on a Mac than IIS and SQL Server on a Windows server. Though I agree its a bit of a moot point, since I'd be better off wiping either system and running OpenBSD.

Quote:

Additionally, just because a software is open source does not make it inherently more secure-- believe me, open source software has to be patched just as much as closed source software

It gets patched a lot more in fact, which is why it's more secure.

drkitten · 17th September 2009, 06:26 PM

Originally Posted by Epok

I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs?

It is indeed harder to write large-scale malevolent programs for the Mac than it was to write such programs for recent-ish versions of Windows. Google "shatter attack" for one reason why. Basically, the interprocess security barrier (the stuff that keeps your email program from being able to scribble all over the document you're currently editing) in Windows is fundamentally broken in order to allow Windows processes (most notably, "Office") to play nicely together. This means that it's very easy for me to do what's called a privilege escalation attack on a Windows box and take the whole thing over if I can get you to run hostile code in user space.

Microsoft wrote a little white paper about ten years ago called "Ten Immutable Laws of Computer Security" where they admitted as much; they claimed that defense in depth, or the idea that an individual program could have restricted privileges that didn't extend to the entire system, was impossible. Which would have been of interest to OS designers of the 1960s, since they were building such systems thirty years before Microsoft said that what they had already done was impossible.

Basically, every system pre-Vista was insecure to the point of "broken beyond repair." Microsoft tried to argue -- and did so for years, successfully -- that it wasn't a design flaw, but a fundamental problem of the universe. Mac just built an OS atop a more secure platform that had defense in depth built-in.

Ducky · 17th September 2009, 07:26 PM

Originally Posted by Nick Bogaerts

Though I agree its a bit of a moot point, since I'd be better off wiping either system and running OpenBSD.

Amen to that, though my current love is to use OpenSolaris and containers to jail processes, in ZFS pools for easy restore. Also moot, since Containers are basically BSD jails with some magicks. I'll go back to BSD when they get the implementation of ZFS right and don't cause kernel panics with it.

GreNME · 17th September 2009, 08:26 PM

Originally Posted by Nick Bogaerts

Up to a point. Though there's a hint of VMS in NT (which is a good thing), it had to keep ABI compatibility with its Windows 95 predecessors, which were hopeless security wise. And with a lot of deep calls at the wrong places (ActiveX, anyone?), which make equivalent security holes in Windows a lot more severe than in *NIX. There's a lot more of Win 95 in Vista than there is of Mac OS 5 in OS X. (And Mac OS 5 to 9 were possibly the most antiquated OSes ever - I had pre-emptive multitasking on my Amiga since 1985. It took PCs ten years to implement, and Macs fourteen)

But none of that speaks to either Windows or Mac OS being superior to the other. While ActiveX is certainly a problem in Windows, the Safari app itself is the biggest security hole on the Mac OS. On the other hand, Windows (at least up to XP) "borrowed" BSD's networking stack for some of its own, but that doesn't make Windows' networking stack superior.

A distinction that could be made is that Unix (and BSD) are what can be called "real" multi-user operating systems, while Windows-- while being a multi-user OS-- was written with more interconnected-ness between its user sandboxes than would really be allowed for calling it a pure (or "real") multi-user OS. The changes in Vista threw away a lot of those components, but there's still enough there to still disqualify it as pure. Not for nothing, but the same applies with OS X, despite its core being fully qualified as a pure multi-user OS, and Apple wrote it that way on purpose to improve the single-user experience with less administrative overhead.

Originally Posted by Nick Bogaerts

It's the other way round. Security was built from the ground up for Unix, then ported to Windows.

I agree with you right up to the "ported to Windows" part, except that I would replace "for Unix" to "on Unix." Had the creators of Unix created something different (call it FooBox), then the development of security would have been on that instead. That Unix was the OS present during the early development of security practices isn't something inherent to Unix, and it certainly doesn't somehow pass on some heritable "security trait" to child OSes built on or based on it.

Originally Posted by Nick Bogaerts

Originally Posted by GreNME

It was built for multiple users to access from terminals and grew from there, just as fraught with bugs and bumps as any other operating system. It simply happens to have begun development decades earlier than the NT system.

A lot less bumps than almost any other. Not every system had the likes Thompson, Ritchie, Pike or Kernighan working on them.

I think you're looking at the history of computing on Unix systems with rose-colored glasses. The first computer viruses emerged on Unix systems-- though, again, this was only because it was the OS that was there and in use, not because of some inherent poor quality-- bugs happened regularly enough, and while many of the bumps back in the day happened due to similar reasons they still happen today (users, natch), there were plenty enough despite the suggested security practice of least possible privileges (which neither OS X nor Windows practice by default)

Originally Posted by Nick Bogaerts

Half it's kernel, and its entire server stack are from the *NIX ecosystem. Security-wise, I'd much rather run Apache and MySQL on a Mac than IIS and SQL Server on a Windows server. Though I agree its a bit of a moot point, since I'd be better off wiping either system and running OpenBSD.

Re-read what I wrote carefully. I fully acknowledge the Darwin components in OS X, but what I'm saying is that there are few full apps for the typical OS X user out there ported from BSD or any other *nix. Though, your comment about running OpenBSD is noted, and I got nothing of note to criticize against it except for slow development.

(Similar to Ducky, I wish Apple would get ZFS working properly on OS X, because that would make a huge splash, particularly in the server market)

Originally Posted by Nick Bogaerts

It gets patched a lot more in fact, which is why it's more secure.

I disagree with your implication. Open source gets patched a lot more because there are far more forks in development than closed source. Between OS X and Windows, the amount of patches are relatively the same. Patching in a timely fashion contributes to the security of a software (whether an OS or application), but the number or frequency of patches don't necessarily factor into that one way or the other (though the frequency of MS patches is a common criticism in the OS Warz).

I also feel it's important that I point out that I'm a happy user of OS X (Tiger and Leopard) and Windows (XP, Vista, and Win 7), and professionally I manage a mostly-Windows (XP and Vista) network and have experience with hybrid (Linux-Windows) networks and some Linux and a small bit of OS X support. I'm not the most experienced professional here (I know for a fact that Ducky has a far wider range of experience), but I am coming at the topic without prejudice against any operating system in particular. I like all the popular ones, mostly for different reasons in each, and if anything I see more convergence in the interface and features between Apple's and Microsoft's offerings than I do the radical differences from 20 or more years ago. More and more, I find the battles raging between Windows and Mac OS becoming less and less relevant in terms of actual differences between the two. Outside of the command-line differences (and only because I'm not familiar with C# on Windows), there's really not much I can do on one that can't be done pretty much the same or similar on the other.

Ducky · 17th September 2009, 09:41 PM

Originally Posted by GreNME

But none of that speaks to either Windows or Mac OS being superior to the other. While ActiveX is certainly a problem in Windows, the Safari app itself is the biggest security hole on the Mac OS. On the other hand, Windows (at least up to XP) "borrowed" BSD's networking stack for some of its own, but that doesn't make Windows' networking stack superior.

A distinction that could be made is that Unix (and BSD) are what can be called "real" multi-user operating systems, while Windows-- while being a multi-user OS-- was written with more interconnected-ness between its user sandboxes than would really be allowed for calling it a pure (or "real") multi-user OS. The changes in Vista threw away a lot of those components, but there's still enough there to still disqualify it as pure. Not for nothing, but the same applies with OS X, despite its core being fully qualified as a pure multi-user OS, and Apple wrote it that way on purpose to improve the single-user experience with less administrative overhead.

I agree with you right up to the "ported to Windows" part, except that I would replace "for Unix" to "on Unix." Had the creators of Unix created something different (call it FooBox), then the development of security would have been on that instead. That Unix was the OS present during the early development of security practices isn't something inherent to Unix, and it certainly doesn't somehow pass on some heritable "security trait" to child OSes built on or based on it.

I think you're looking at the history of computing on Unix systems with rose-colored glasses. The first computer viruses emerged on Unix systems-- though, again, this was only because it was the OS that was there and in use, not because of some inherent poor quality-- bugs happened regularly enough, and while many of the bumps back in the day happened due to similar reasons they still happen today (users, natch), there were plenty enough despite the suggested security practice of least possible privileges (which neither OS X nor Windows practice by default)

Re-read what I wrote carefully. I fully acknowledge the Darwin components in OS X, but what I'm saying is that there are few full apps for the typical OS X user out there ported from BSD or any other *nix. Though, your comment about running OpenBSD is noted, and I got nothing of note to criticize against it except for slow development.

(Similar to Ducky, I wish Apple would get ZFS working properly on OS X, because that would make a huge splash, particularly in the server market)

I disagree with your implication. Open source gets patched a lot more because there are far more forks in development than closed source. Between OS X and Windows, the amount of patches are relatively the same. Patching in a timely fashion contributes to the security of a software (whether an OS or application), but the number or frequency of patches don't necessarily factor into that one way or the other (though the frequency of MS patches is a common criticism in the OS Warz).

I also feel it's important that I point out that I'm a happy user of OS X (Tiger and Leopard) and Windows (XP, Vista, and Win 7), and professionally I manage a mostly-Windows (XP and Vista) network and have experience with hybrid (Linux-Windows) networks and some Linux and a small bit of OS X support. I'm not the most experienced professional here (I know for a fact that Ducky has a far wider range of experience), but I am coming at the topic without prejudice against any operating system in particular. I like all the popular ones, mostly for different reasons in each, and if anything I see more convergence in the interface and features between Apple's and Microsoft's offerings than I do the radical differences from 20 or more years ago. More and more, I find the battles raging between Windows and Mac OS becoming less and less relevant in terms of actual differences between the two. Outside of the command-line differences (and only because I'm not familiar with C# on Windows), there's really not much I can do on one that can't be done pretty much the same or similar on the other.

Easy there ace. I'm no Terry.

Although I am not the only sound engineer to end up a unix engineer where I work....hmm.....

That said, here's something to complicate the works a bit between this discussion...

I agree with you both. It's not simple nor is it a easy subject to boil down to talking points and I'm not sure you guys see your points don't necessarily contradict each other.

That said, I'll throw in my OS WARZ rebuttal that obviously we should all go back to AmigaOS. It was far superior to Apple DOS.

daSkeptic · 17th September 2009, 10:10 PM

Originally Posted by Ducky

... we should all go back to AmigaOS.

It was good enough for making Babylon 5 ...

Akuta · 17th September 2009, 10:14 PM

Originally Posted by Epok

I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs?

Well, as a programmer I can tell you that it is JUST as easy to write a virus for a Mac as it would be for a PC. All that is needed is to write it in a language that the Mac can read (such as C).

The reason why we saw so many viruses come out into the wild for Windows is due to the sheer volume of Windows users in addition to the ease with which "Virus Lab" programs were written in Visual Basic (a language that at the time was only executable by Windows and Windows-clone OSes).

There are plenty of viruses out there that affect more than one operating system. Not even Unix/Linux/BeOS/Linspire/CentOS/etc. are immune. All it takes is a person who knows a language that they can execute to write an application that can replicate itself (remember, viruses infect machines by being run locally. Worms spread themselves through computer vulnerabilities).

Anyways, hope that helped. Though I haven't read all of the responses below, so I don't know if the answer has already been given.

Edit : Please note that I'm only addressing the actual facts of WRITING the viruses... Not their impact due to security of a system.

GreNME · 17th September 2009, 10:50 PM

Originally Posted by Ducky

Easy there ace. I'm no Terry.

Although I am not the only sound engineer to end up a unix engineer where I work....hmm.....

Meh. It's not a matter of me bowing and saying your kung fu is greater than mine. I'm simply honest enough to know where my strengths are and that there are others with different strengths who can speak more to those topics than I can.

Originally Posted by Ducky

That said, here's something to complicate the works a bit between this discussion...

I agree with you both. It's not simple nor is it a easy subject to boil down to talking points and I'm not sure you guys see your points don't necessarily contradict each other.

You're right, of course. My main contention is that the original three points that were mentioned just aren't as clear-cut as they were presented. Both operating systems have their good (and, yes, great) points, and both have their respective warts. Over the years I've gone from behaving like I had a huge dog in the fight (I never did, but emotions get the better of us) to preferring to find and explore the areas of convergence and promoting (more) hybrid environments.

Originally Posted by Ducky

That said, I'll throw in my OS WARZ rebuttal that obviously we should all go back to AmigaOS. It was far superior to Apple DOS.

And it was dog poop compared to BeOS. (I keed)

Ducky · 17th September 2009, 11:51 PM

Originally Posted by GreNME

Meh. It's not a matter of me bowing and saying your kung fu is greater than mine. I'm simply honest enough to know where my strengths are and that there are others with different strengths who can speak more to those topics than I can.

Hmm. Your ideas intrigue me and I wish to subscribe to your newsletter...

Originally Posted by GreNME

You're right, of course. My main contention is that the original three points that were mentioned just aren't as clear-cut as they were presented. Both operating systems have their good (and, yes, great) points, and both have their respective warts. Over the years I've gone from behaving like I had a huge dog in the fight (I never did, but emotions get the better of us) to preferring to find and explore the areas of convergence and promoting (more) hybrid environments.

That I can get behind. I think open standards could do very well to integrate systems that do certain things very well in their own right with other systems that do other things very well. I work in a Solaris shop (mostly) but we do use windows environments for things they do very well (Exchange, Office, etc.) as well as IIS servers for some requirements to customers. We have MSSQL servers as well and while I prefer to work with our Solaris/Oracle/Mysql environment I have yet to not have use for my Windows VM to do certain things at work. Virtualization can help do lots of this, but we need to get companies (not just MS) to adhere more to open standards. Remember what MS did with Java? Well that's just one example, but the idea is there: Companies fear innovation when they think it will fight with their current projects. That they fear it isn't the bigger issue. Using new technologies instead of using dirty corporate tricks to screw with it is a better option for the user, and it's the users that make the sales. Security is a moving target. Security of different operating systems is difficult to reduce to simple terms because more than just one factor is involved, especially in specialized functions.

But I digress...

Originally Posted by GreNME

And it was dog poop compared to BeOS. (I keed)

I ran BeOS for a while. I was actually rather happy with it at the time. Now I run a variety of things, and they all have specific functions from desktop use to server to DAW etc...

OS Holy wars are a sad example of reducing a very complicated set of issues down to talking points that really don't do anything but further marketing points that are at best half true. And I know we all hate the PC Vs. Mac commercials, right?

Function determines form to me, but it also dictates security, which is an elusive and complicated matter much of the time. I'm not sure it's fair to say one operating system is more or less secure without also pointing out function of the operating system and what it is expected to perform and do. They all do have their security problems, but in the end the biggest security problem is the person using it, as security compromises usually start with their actions - whether they are a server op or a desktop user.

A while ago I added Bruce Schneier's blog to the list of links in this section. I highly recommend reading his blog. It's very good, and his essays are very well done in regards not only to computer security, but overall security concerns in meatspace.

On a last note, whatever kung fu I have is always something I can learn more for. I imagine I could learn a lot from GreNME, and everyone else that posts well reasoned and informed posts in this section. IT Kung Fu is like guitar playing. You can get pretty good playing on your own, and along with recordings but you get great by working with as many people as possible.

jsiv · 18th September 2009, 12:53 AM

Originally Posted by drkitten

Basically, the interprocess security barrier (the stuff that keeps your email program from being able to scribble all over the document you're currently editing) in Windows is fundamentally broken in order to allow Windows processes (most notably, "Office") to play nicely together. This means that it's very easy for me to do what's called a privilege escalation attack on a Windows box and take the whole thing over if I can get you to run hostile code in user space.

This is a fundamental difference in philosophy though. Windows was designed with the idea that a user is a user, and that anything the user is running should have access to everything the user has access to. This is why you can read and write to the memory of another process as long as it belongs to the same user. The only security boundary exists between different users. Now, memory protection prevents programs from accidentally doing it, but it has always been considered legitimate that programs can manipulate each other as long as they are run by the same user. In fact, you can even argue that this is a strength, since it allows closed source programs to easily be extended.

Shatter attacks are not really related to this. They are related to the fact that the windowing and graphics system doesn't have any security within the same session. If a process with higher privileges running in the same session decides to listen for window messages, other processes in the session can send it messages. This was also largely intentional, because being able to manipulate and extend programs is beneficial. What these higher privilege processes should have done was spin off another process that handled the windowing. In other words if you have a virus scanner, the user interface and the backend that does the actual scanning should be separate.

Graphics still doesn't really have any security to protect the user from itself, which means you can happily paint over important dialogs that belong to, say, IE protected mode or UAC, and thus trick the user into running you. This is one of several reasons why neither are considered security boundaries.

Originally Posted by Akuta

All it takes is a person who knows a language that they can execute to write an application that can replicate itself (remember, viruses infect machines by being run locally. Worms spread themselves through computer vulnerabilities).

Anyways, hope that helped. Though I haven't read all of the responses below, so I don't know if the answer has already been given.

Edit : Please note that I'm only addressing the actual facts of WRITING the viruses... Not their impact due to security of a system.

Well.. A virus needs a way to run itself though, and it's usually be exploiting a platform-specific bug. If it can't, it's a trojan. OS X is full of these bugs, so there's no real reason why it couldn't have more viruses.

GreNME · 18th September 2009, 02:01 AM

Originally Posted by Ducky

A while ago I added Bruce Schneier's blog to the list of links in this section. I highly recommend reading his blog. It's very good, and his essays are very well done in regards not only to computer security, but overall security concerns in meatspace.

Actually, on your recommendation a while back, I have started reading it (on an irregular basis). I forgot to thank you for that.

Originally Posted by Ducky

IT Kung Fu is like guitar playing. You can get pretty good playing on your own, and along with recordings but you get great by working with as many people as possible.

I am so "borrowing" this for later use. Very well said.

jsiv · 18th September 2009, 08:24 AM

Originally Posted by GreNME

But none of that speaks to [...] Mac OS being superior to the other.

But this does

YouTube Video This video is not hosted by the JREF. The JREF can not be held responsible for the suitability or legality of this material. By clicking the link below you agree to view content from an external website.

I AGREE

Akuta · 18th September 2009, 09:17 AM

Originally Posted by jsiv

Well.. A virus needs a way to run itself though, and it's usually be exploiting a platform-specific bug. If it can't, it's a trojan. OS X is full of these bugs, so there's no real reason why it couldn't have more viruses.

A virus DOES need a way to run... To run itself? No. Something has to be done by the user to enable it to function. Many times the virus is housed within an application (or sent through email) and requires the user to run the application (remember, a virus is an application just like Word is an application) for the first time. Once run for the first time, the virus can then embed itself deep within the registry, within local files and within local applications which will cause the virus to "spread" within the machine.

As for how they exploit the system, viruses exploit the system by getting the user of the system to run it. They cannot run themselves. Applications that utilize a system flaw to install itself are worms, not viruses. Worms spread themselves almost autonomously. Viruses require user interaction (meaning a user of the system HAS to run the virus the first time, whereas if you get infected by a worm it was merely a security flaw in the system and was infected by being connected to the internet).

A trojan is a totally different ball of wax. A trojan is an application that piggybacks on another, seemingly useful application, and installs a back door into the system (i.e. the Trojan Horse tactic : "Here's this fancy big horse as a gift of honor. Oh, wait... I forgot to mention all of the soldiers hidden within that are going to attack you tonight and open your gates for the rest of my soldiers.").

As for why Mac's don't have as MANY (note I didn't say as BAD) of viruses, I already addressed this. Volume of users as well as many "script kiddie" virus labs that were HEAVILY written in Visual Basic, which at the time only ran on Windows machines. This was the way people who have absolutely no clue as to how to write a program could create a virus and release it. A single person could release hundreds of variants of the virus in a single day, all with different payloads if they chose. The downfall to the virus lab softwares was that they tagged their own information into each of the viruses (i.e. A chunk of code that identified itself as from "Virus Lab X") which after the anti-virus software developers figured this out, they were able to make a computer immune to ALL viruses created with that specific virus lab generated software.

Hope to have clarified this,
Take care.

jsiv · 18th September 2009, 09:56 AM

The definitions are difficult and vague these days, but you're right. My mistake.

A key generator that actually turns out to be malware is a trojan. In other words a standalone program that claims to be something other than what it is. If it's embedded in something else, it doesn't really qualify as that (and they didn't put the horse inside a birthday cake).

Worms are self-replicating programs that spread automatically by exploiting bugs.

Viruses are self-replicating programs that are embedded in other executables and spread locally automatically, but have to be manually transfered to another machine.

This list doesn't cover everything though. What about malicious code that exploits a bug in, say, a web browser to install itself, and then spreads no further? Not a worm, and not a virus (but they tend to be labeled as the latter).

drkitten · 18th September 2009, 11:44 AM

Originally Posted by jsiv

This is a fundamental difference in philosophy though. Windows was designed with the idea that a user is a user, and that anything the user is running should have access to everything the user has access to.

.... which is simply another way of saying that "Windows was designed, fundamentally, to be insecure."

Quote:

Now, memory protection prevents programs from accidentally doing it, but it has always been considered legitimate that programs can manipulate each other as long as they are run by the same user.

"Always been considered" by whom? The *NIX family has never considered that to be legitimate, and any program open to the "world at large" (e.g., a web server, which runs as a single "user" but may be serving vastly different actual people out there in Internet-land) show that this is an overly simplistic view.

You may be able to make a very nuanced argument against putting in a per-process security barrier (although I've never seen one successfully made), but that still puts you in favor of designing for insecurity in favor of greater usability.

Quote:

Shatter attacks are not really related to this. They are related to the fact that the windowing and graphics system doesn't have any security within the same session. If a process with higher privileges running in the same session decides to listen for window messages, other processes in the session can send it messages. This was also largely intentional, because being able to manipulate and extend programs is beneficial.

Again, what you're saying is that Windows was designed to be insecure in the name of greater usability.

Quote:

Graphics still doesn't really have any security to protect the user from itself, which means you can happily paint over important dialogs that belong to, say, IE protected mode or UAC, and thus trick the user into running you. This is one of several reasons why neither are considered security boundaries.

Or, alternatively, why you should have considered them to be security boundaries and designed the system to be secure.

The *NIX designers took a different approach about where they considered security boundaries should go, and as a result, designed a system with better compartmentalization and better defense-in-depth. Which makes *NIX and by extension OS X a more secure system (one that's harder to write hostile code for), because you need to get through more compartments....

GreNME · 18th September 2009, 02:13 PM

Originally Posted by drkitten

The *NIX designers took a different approach about where they considered security boundaries should go, and as a result, designed a system with better compartmentalization and better defense-in-depth. Which makes *NIX and by extension OS X a more secure system (one that's harder to write hostile code for), because you need to get through more compartments....

I have a torrent for a free copy of iWork that you should download...

Akuta · 18th September 2009, 03:20 PM

Originally Posted by jsiv

The definitions are difficult and vague these days, but you're right. My mistake.

A key generator that actually turns out to be malware is a trojan. In other words a standalone program that claims to be something other than what it is. If it's embedded in something else, it doesn't really qualify as that (and they didn't put the horse inside a birthday cake).

Worms are self-replicating programs that spread automatically by exploiting bugs.

Viruses are self-replicating programs that are embedded in other executables and spread locally automatically, but have to be manually transfered to another machine.

This list doesn't cover everything though. What about malicious code that exploits a bug in, say, a web browser to install itself, and then spreads no further? Not a worm, and not a virus (but they tend to be labeled as the latter).

That's where the term "malware" comes in. Any software that is malicious in intent. If an application (in this case, we're talking about viruses/worms/etc.) uses an exploit to install itself it isn't a virus unless it is replicating itself. It is malware. "Bad software" so to speak. IF it does INDEED replicate itself, it is now in the realm of a virus. Viruses replicate. If you get infected with something that doesn't replicate itself for "survival" it's not technically a "virus" per se, but malware. That's the catch-all, anyways.

An example of this would be browser highjackers that install browser helper objects (BHOs) that "steal" information about how and what you browse, your demographic information and port that over to a main server to keep track of you and advertise towards you in a very specific way. We call this adware, but it is just another malware application. Other browser highjackers include "plugins" such as "toolbars" and such that do the same thing. One of my LEAST favorite of these is the search-control BHO that takes any and all of the commonly used search pages and makes your browser SHOW that it's using them, only to return results by THEIR OWN search engine... Which are typically links to sites that have advertised with them (again, this one is adware, spyware AND malware).

mikeyx · 18th September 2009, 07:09 PM

Originally Posted by Ducky

Hmm. Your ideas intrigue me and I wish to subscribe to your newsletter...

That I can get behind. I think open standards could do very well to integrate systems that do certain things very well in their own right with other systems that do other things very well. I work in a Solaris shop (mostly) but we do use windows environments for things they do very well (Exchange, Office, etc.) as well as IIS servers for some requirements to customers. We have MSSQL servers as well and while I prefer to work with our Solaris/Oracle/Mysql environment I have yet to not have use for my Windows VM to do certain things at work. Virtualization can help do lots of this, but we need to get companies (not just MS) to adhere more to open standards. Remember what MS did with Java? Well that's just one example, but the idea is there: Companies fear innovation when they think it will fight with their current projects. That they fear it isn't the bigger issue. Using new technologies instead of using dirty corporate tricks to screw with it is a better option for the user, and it's the users that make the sales. Security is a moving target. Security of different operating systems is difficult to reduce to simple terms because more than just one factor is involved, especially in specialized functions.

But I digress...

I ran BeOS for a while. I was actually rather happy with it at the time. Now I run a variety of things, and they all have specific functions from desktop use to server to DAW etc...

OS Holy wars are a sad example of reducing a very complicated set of issues down to talking points that really don't do anything but further marketing points that are at best half true. And I know we all hate the PC Vs. Mac commercials, right?

Function determines form to me, but it also dictates security, which is an elusive and complicated matter much of the time. I'm not sure it's fair to say one operating system is more or less secure without also pointing out function of the operating system and what it is expected to perform and do. They all do have their security problems, but in the end the biggest security problem is the person using it, as security compromises usually start with their actions - whether they are a server op or a desktop user.

A while ago I added Bruce Schneier's blog to the list of links in this section. I highly recommend reading his blog. It's very good, and his essays are very well done in regards not only to computer security, but overall security concerns in meatspace.

On a last note, whatever kung fu I have is always something I can learn more for. I imagine I could learn a lot from GreNME, and everyone else that posts well reasoned and informed posts in this section. IT Kung Fu is like guitar playing. You can get pretty good playing on your own, and along with recordings but you get great by working with as many people as possible.

curiosity, anyone ever play with either qnx or oberon system 3, as opposed to bluebox?

Ducky · 18th September 2009, 07:22 PM

Originally Posted by mikeyx

curiosity, anyone ever play with either qnx or oberon system 3, as opposed to bluebox?

I prefer to dink with minix over qnx when I am interested in a true microkernel playground. Not that qnx isn't one, I'm just more familiar with minix.

15th September 2009, 09:32 AM	#1
bigred Philosopher Join Date: Jan 2005 Location: USA Posts: 9,443	MAC OS security issues? I've always heard only PCs have so many security issues and MAC was this near-flawless OS security wise......? http://blogs.zdnet.com/security/?p=4276&tag=nl.e550

15th September 2009, 09:57 AM	#2
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	This isn't big news. Mac OS has been updating with security patches for years, and for the last year and a half there have been small cases of trojans in the wild. OS X is an operating system like any other: there will always be things needing to be patched, and more often than not the biggest security hole is the person at the keyboard/mouse.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

15th September 2009, 10:35 AM	#3
Lothian (edited for breach of rule 10) Join Date: Apr 2002 Location: A small, blue-green world in one of the less fashionable sectors of the galaxy Posts: 7,033	I had to patch my mac last year and replace two buttons.
	__________________ "When two opposite points of view are expressed with equal intensity, the truth does not necessarily lie exactly half way between. It is possible for one side simply to be wrong." Richard Dawkins and Jerry Coyne JREF Forum Campaign Group

15th September 2009, 10:45 AM	#5
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	The debate with your friend is a very subjective issue. Some would say they're the same to write for, some would say PCs are easier, and some would say Macs are easier. That debate is predominately hedged on opinion.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

15th September 2009, 02:50 PM	#8
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by Epok That does make things interesting because if there are actually people who say that it's easier to write viruses for Macs then that kinda blows away his argument that its nearly impossible to do it on a Mac. Impossible? Hardly. It sounds like the debate you guys are having is one of the average "OS Warz" battles that flare up now and again.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

15th September 2009, 10:38 AM	#4
Epok Thinker Join Date: Mar 2008 Location: Birmingham, Al Posts: 184	I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs?

15th September 2009, 11:27 AM	#6
Epok Thinker Join Date: Mar 2008 Location: Birmingham, Al Posts: 184	Originally Posted by GreNME The debate with your friend is a very subjective issue. Some would say they're the same to write for, some would say PCs are easier, and some would say Macs are easier. That debate is predominately hedged on opinion. That does make things interesting because if there are actually people who say that it's easier to write viruses for Macs then that kinda blows away his argument that its nearly impossible to do it on a Mac.

15th September 2009, 11:40 AM	#7
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by Epok That does make things interesting because if there are actually people who say that it's easier to write viruses for Macs then that kinda blows away his argument that its nearly impossible to do it on a Mac. It is not impossible. It's easy if you hide your installer in an actual app's installer (see torrented versions of iChat, etc.)

15th September 2009, 03:46 PM	#9
Nick Bogaerts Muse Join Date: Jul 2005 Location: Didcot, Oxfordshire Posts: 597	Originally Posted by Epok I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs? I'd say both aspects contribute to the relative paucity of Mac malware. There's certainly not as much to gain from OS X targeted attacks as there are from Windows ones, so less effort is put into it. That said, I believe there are architectural, organisational and cultural reasons why OS X is inherently more secure: 1 - OS X is based on Unix, which was designed as a multi-user timesharing system. Windows was built for single-user PCs. Unix was built with security in mind from the ground up, Windows had to have it patched on organically (Anyone familiar with Vista's UAC can probably tell you it's hardly elegant). In addition, the Internet was built on top of Unix - historically a large proportion of networking experts are Unix experts. The Internet was an afterthought bolted in Windows NT. Unix systems have it bred in. (Incidentally, the very first Web Server ran NeXTStep - a direct ancestor of Mac OS X). A Windows machine runs a lot more stuff with elevated privileges than your average Unix machine, things crackers can target. There are a lot more vectors of attack on a Windows platform as a result of its maladapted architecture. 2 - As a result of it's heritage, OS X has a lot of free software it inherited from *BSD. Free software is by nature more secure than its proprietary equivalent, because there's a lot more auditing done on it. Security by obscurity simply doesn't work. This only goes so far unfortunately, because Apple, like Microsoft, don't understand openness and are trying as much as they can do demolish their advantage in this area. Also, quite a few things on Macs comes from OpenBSD specifically (OpenSSH, for instance). Security wise, OpenBSD is the gold standard. 3 - Mac users are on average more sophisticated. Windows has more low-hanging fruits for malware writers to target. Because at the end of the day, a computer is as secure as it's user makes it. This is probably an argument more in your favour than in your friend's, though. At the end of the day, no system is flawless. It depends a lot on the response of it's maintainers, because there will always be new vulnerabilities -- even my beloved Debian isn't immune to downright howlers. I don't know if Apple are any better than Microsoft at plugging vulnerabilities. They certainly ought to have less work, though.
	__________________ Oh, and when the last law was down, and the devil turned on you, where would you hide, Roper, all the laws being flat? This country is planted thick with laws from coast to coast, man's laws not God's, and if you cut them down—and you're just the man to do it—do you really think that you could stand upright in the winds that would blow then? Yes, I'd give the devil the benefit of the law, for my own safety's sake. —Robert Bolt, A Man For All Seasons

16th September 2009, 03:00 PM	#10
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Nick, those are all fine points, but they reveal a bit of flawed understanding of the two operating systems from a comparative perspective. To each point: Originally Posted by Nick Bogaerts 1 - OS X is based on Unix, which was designed as a multi-user timesharing system. Windows was built for single-user PCs. Unix was built with security in mind from the ground up, Windows had to have it patched on organically (Anyone familiar with Vista's UAC can probably tell you it's hardly elegant). None of this is actually true from a technical perspective. The NT kernel and subsystems that versions of Windows since 2000 have run on were specifically designed as a multi-user network operating system. While flaws in approach could be stated (I often have gripes), the fact is that the core of Windows today was built specifically for multi-user environments. Further, Unix wasn't built from the ground up for security, either. It was built for multiple users to access from terminals and grew from there, just as fraught with bugs and bumps as any other operating system. It simply happens to have begun development decades earlier than the NT system. And on an opinion level: I'm familiar with Windows UAC, and find it to be relatively unobtrusive. The reason I believe so many people have griped about it is due to the long history of Windows users being allowed to run with far too many privileges (despite there being user levels with appropriately safe permissions), and with the advent of Vista's UAC people who had previously had gotten comfortable with full access were confounded. I was not from the very start, and if anything this is because I was already familiar with operating system security and having to elevate privileges to make system changes, so UAC actually made it easier for me to do the same in Windows (which is far more evident when using a non-admin account and you get a credential prompt, and in a professional setting this is exactly what should happen to elevate privs). Originally Posted by Nick Bogaerts 2 - As a result of it's heritage, OS X has a lot of free software it inherited from BSD. Free software is by nature more secure than its proprietary equivalent, because there's a lot more auditing done on it. Security by obscurity simply doesn't work. I'm sorry, but on a technical level I have to once again disagree strongly. There's very little actual useful software outside of the Darwin components that OS X has gotten from BSD, and while a lot of stuff out there can be recompiled under OS X (which I've done) that doesn't amount to what I'd call "a lof of" available software (I actually wish I could get a few things from Linux, personally). Additionally, just because a software is open source does not make it inherently more secure-- believe me, open source software has to be patched just as much as closed source software, and I've done so for both on a professional level. Finally, "security by obscurity" does* work, it just doesn't work very well or for very long, and those in the specialty field of security will attest that while it's sometimes useful as a superficial first-layer type of security, it should never be counted on as the backbone. Neither OS X nor Windows use this method as the core of their security model (in fact, their security models are extremely similar). Originally Posted by Nick Bogaerts 3 - Mac users are on average more sophisticated. I actually laughed out loud when I read this. I really mean no offense by that, but the idea that Mac users tend to be more sophisticated just doesn't fly with me. I've done user support for both Mac and Windows computers, and the presentation of symptoms and understanding of how the system works tends to be very similar between the two groups. The only real difference I've ever noticed is that for the longest time Macs were a premium item and thus had a much more sparse base for technical support. As such, a lot of home users tended to be more aware of little tips and tricks, as well as some workarounds to common computer problems. As Macs begin gaining in market share their support base has increased (thus lowering the need for self-sufficiency), and with internet tips & tricks websites being so abundant the amount of lower-level information out there for solving nagging little problems has evened out considerably. But more importantly, the regular mantra of "it just works" that has been standard for Macs belies the falsehood of claiming that the users tend to be more sophisticated. If the system is made to function with less hassle or fiddling from the user, then there's actually less to be sophisticated about overall. While I'm sure this adds to the confidence level of the user to do things on their computer without fear of breaking something, this is hardly a measurably higher level of sophistication and is more likely a cultural affectation due to the perception of having fewer problems in general using the computer. I'm more than willing to posit that when it comes to general computing practices, Mac users and Windows users are likely about on par with each other. But I do agree with you that, in the end, no system is flawless. My Mac gets just as many updates as my Vista desktop did (though I recently upgraded to Win 7, I expect the update cycle won't change drastically), and that's fine with me. A system that's being regularly patched and updated is a system that has a lower surface area for threats. Anti-malware software (now shipping with both Windows and OS X) adds another degree of protection, and 3rd-party antivirus can add yet another. Ultimately, though, there's not enough software in the world to protect a user from themselves, and time has shown that no matter what software or hardware is running on a system people can find ways to crack it and exploit it in ways originally unintended by the producers of the hardware/software. That's just the way computing is.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

16th September 2009, 05:13 PM	#11
oldhat Muse Join Date: Dec 2008 Posts: 993	OS X is far more hassle free and easy to use than Windows, as far as malware and viruses are concerned. I use both at work and at home and feel a dozen times more secure on the Macs doing things like surfing the web and opening email attachments.
oldhat Muse Join Date: Dec 2008 Posts: 993	__________________ "I predict a complete rollover in Congress in 2010 to the Republicans. Bank on it. Laugh, but file it away in the back of your mind." -Beerina

17th September 2009, 04:25 PM	#12
Nick Bogaerts Muse Join Date: Jul 2005 Location: Didcot, Oxfordshire Posts: 597	Originally Posted by GreNME None of this is actually true from a technical perspective. The NT kernel and subsystems that versions of Windows since 2000 have run on were specifically designed as a multi-user network operating system. While flaws in approach could be stated (I often have gripes), the fact is that the core of Windows today was built specifically for multi-user environments. Up to a point. Though there's a hint of VMS in NT (which is a good thing), it had to keep ABI compatibility with its Windows 95 predecessors, which were hopeless security wise. And with a lot of deep calls at the wrong places (ActiveX, anyone?), which make equivalent security holes in Windows a lot more severe than in NIX. There's a lot more of Win 95 in Vista than there is of Mac OS 5 in OS X. (And Mac OS 5 to 9 were possibly the most antiquated OSes ever - I had pre-emptive multitasking on my Amiga since 1985. It took PCs ten years to implement, and Macs fourteen) Quote: Further, Unix wasn't built from the ground up for security, either. It's the other way round. Security was built from the ground up for Unix, then ported to Windows. Quote: It was built for multiple users to access from terminals and grew from there, just as fraught with bugs and bumps as any other operating system. It simply happens to have begun development decades earlier than the NT system. A lot less bumps than almost any other. Not every system had the likes Thompson, Ritchie, Pike or Kernighan working on them. Quote: There's very little actual useful software outside of the Darwin components that OS X has gotten from BSD, and while a lot of stuff out there can be recompiled under OS X (which I've done) that doesn't amount to what I'd call "a lof of" available software (I actually wish I could get a few things from Linux, personally). Half it's kernel, and its entire server stack are from the NIX ecosystem. Security-wise, I'd much rather run Apache and MySQL on a Mac than IIS and SQL Server on a Windows server. Though I agree its a bit of a moot point, since I'd be better off wiping either system and running OpenBSD. Quote: Additionally, just because a software is open source does not make it inherently more secure-- believe me, open source software has to be patched just as much as closed source software It gets patched a lot more in fact, which is why it's more secure.
	__________________ Oh, and when the last law was down, and the devil turned on you, where would you hide, Roper, all the laws being flat? This country is planted thick with laws from coast to coast, man's laws not God's, and if you cut them down—and you're just the man to do it—do you really think that you could stand upright in the winds that would blow then? Yes, I'd give the devil the benefit of the law, for my own safety's sake. —Robert Bolt, A Man For All Seasons Last edited by Nick Bogaerts; 17th September 2009 at 04:26 PM.

17th September 2009, 06:26 PM	#13
drkitten Penultimate Amazing Join Date: Mar 2004 Location: Wits' End Posts: 17,338	Originally Posted by Epok I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs? It is indeed harder to write large-scale malevolent programs for the Mac than it was to write such programs for recent-ish versions of Windows. Google "shatter attack" for one reason why. Basically, the interprocess security barrier (the stuff that keeps your email program from being able to scribble all over the document you're currently editing) in Windows is fundamentally broken in order to allow Windows processes (most notably, "Office") to play nicely together. This means that it's very easy for me to do what's called a privilege escalation attack on a Windows box and take the whole thing over if I can get you to run hostile code in user space. Microsoft wrote a little white paper about ten years ago called "Ten Immutable Laws of Computer Security" where they admitted as much; they claimed that defense in depth, or the idea that an individual program could have restricted privileges that didn't extend to the entire system, was impossible. Which would have been of interest to OS designers of the 1960s, since they were building such systems thirty years before Microsoft said that what they had already done was impossible. Basically, every system pre-Vista was insecure to the point of "broken beyond repair." Microsoft tried to argue -- and did so for years, successfully -- that it wasn't a design flaw, but a fundamental problem of the universe. Mac just built an OS atop a more secure platform that had defense in depth built-in.

17th September 2009, 07:26 PM	#14
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by Nick Bogaerts Though I agree its a bit of a moot point, since I'd be better off wiping either system and running OpenBSD. Amen to that, though my current love is to use OpenSolaris and containers to jail processes, in ZFS pools for easy restore. Also moot, since Containers are basically BSD jails with some magicks. I'll go back to BSD when they get the implementation of ZFS right and don't cause kernel panics with it.

17th September 2009, 08:26 PM	#15
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by Nick Bogaerts Up to a point. Though there's a hint of VMS in NT (which is a good thing), it had to keep ABI compatibility with its Windows 95 predecessors, which were hopeless security wise. And with a lot of deep calls at the wrong places (ActiveX, anyone?), which make equivalent security holes in Windows a lot more severe than in NIX. There's a lot more of Win 95 in Vista than there is of Mac OS 5 in OS X. (And Mac OS 5 to 9 were possibly the most antiquated OSes ever - I had pre-emptive multitasking on my Amiga since 1985. It took PCs ten years to implement, and Macs fourteen) But none of that speaks to either Windows or Mac OS being superior to the other. While ActiveX is certainly a problem in Windows, the Safari app itself is the biggest security hole on the Mac OS. On the other hand, Windows (at least up to XP) "borrowed" BSD's networking stack for some of its own, but that doesn't make Windows' networking stack superior. A distinction that could be made is that Unix (and BSD) are what can be called "real" multi-user operating systems, while Windows-- while being a multi-user OS-- was written with more interconnected-ness between its user sandboxes than would really be allowed for calling it a pure (or "real") multi-user OS. The changes in Vista threw away a lot of those components, but there's still enough there to still disqualify it as pure. Not for nothing, but the same applies with OS X, despite its core being fully qualified as a pure multi-user OS, and Apple wrote it that way on purpose to improve the single-user experience with less administrative overhead. Originally Posted by Nick Bogaerts* It's the other way round. Security was built from the ground up for Unix, then ported to Windows. I agree with you right up to the "ported to Windows" part, except that I would replace "for Unix" to "on Unix." Had the creators of Unix created something different (call it FooBox), then the development of security would have been on that instead. That Unix was the OS present during the early development of security practices isn't something inherent to Unix, and it certainly doesn't somehow pass on some heritable "security trait" to child OSes built on or based on it. Originally Posted by Nick Bogaerts Originally Posted by GreNME It was built for multiple users to access from terminals and grew from there, just as fraught with bugs and bumps as any other operating system. It simply happens to have begun development decades earlier than the NT system. A lot less bumps than almost any other. Not every system had the likes Thompson, Ritchie, Pike or Kernighan working on them. I think you're looking at the history of computing on Unix systems with rose-colored glasses. The first computer viruses emerged on Unix systems-- though, again, this was only because it was the OS that was there and in use, not because of some inherent poor quality-- bugs happened regularly enough, and while many of the bumps back in the day happened due to similar reasons they still happen today (users, natch), there were plenty enough despite the suggested security practice of least possible privileges (which neither OS X nor Windows practice by default) Originally Posted by Nick Bogaerts Half it's kernel, and its entire server stack are from the NIX ecosystem. Security-wise, I'd much rather run Apache and MySQL on a Mac than IIS and SQL Server on a Windows server. Though I agree its a bit of a moot point, since I'd be better off wiping either system and running OpenBSD. Re-read what I wrote carefully. I fully acknowledge the Darwin components in OS X, but what I'm saying is that there are few full apps for the typical OS X user out there ported from BSD or any other nix. Though, your comment about running OpenBSD is noted, and I got nothing of note to criticize against it except for slow development. (Similar to Ducky, I wish Apple would get ZFS working properly on OS X, because that would make a huge splash, particularly in the server market) Originally Posted by Nick Bogaerts It gets patched a lot more in fact, which is why it's more secure. I disagree with your implication. Open source gets patched a lot more because there are far more forks in development than closed source. Between OS X and Windows, the amount of patches are relatively the same. Patching in a timely fashion contributes to the security of a software (whether an OS or application), but the number or frequency of patches don't necessarily factor into that one way or the other (though the frequency of MS patches is a common criticism in the OS Warz). I also feel it's important that I point out that I'm a happy user of OS X (Tiger and Leopard) and Windows (XP, Vista, and Win 7), and professionally I manage a mostly-Windows (XP and Vista) network and have experience with hybrid (Linux-Windows) networks and some Linux and a small bit of OS X support. I'm not the most experienced professional here (I know for a fact that Ducky has a far wider range of experience), but I am coming at the topic without prejudice against any operating system in particular. I like all the popular ones, mostly for different reasons in each, and if anything I see more convergence in the interface and features between Apple's and Microsoft's offerings than I do the radical differences from 20 or more years ago. More and more, I find the battles raging between Windows and Mac OS becoming less and less relevant in terms of actual differences between the two. Outside of the command-line differences (and only because I'm not familiar with C# on Windows), there's really not much I can do on one that can't be done pretty much the same or similar on the other.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

17th September 2009, 09:41 PM	#16
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by GreNME But none of that speaks to either Windows or Mac OS being superior to the other. While ActiveX is certainly a problem in Windows, the Safari app itself is the biggest security hole on the Mac OS. On the other hand, Windows (at least up to XP) "borrowed" BSD's networking stack for some of its own, but that doesn't make Windows' networking stack superior. A distinction that could be made is that Unix (and BSD) are what can be called "real" multi-user operating systems, while Windows-- while being a multi-user OS-- was written with more interconnected-ness between its user sandboxes than would really be allowed for calling it a pure (or "real") multi-user OS. The changes in Vista threw away a lot of those components, but there's still enough there to still disqualify it as pure. Not for nothing, but the same applies with OS X, despite its core being fully qualified as a pure multi-user OS, and Apple wrote it that way on purpose to improve the single-user experience with less administrative overhead. I agree with you right up to the "ported to Windows" part, except that I would replace "for Unix" to "on Unix." Had the creators of Unix created something different (call it FooBox), then the development of security would have been on that instead. That Unix was the OS present during the early development of security practices isn't something inherent to Unix, and it certainly doesn't somehow pass on some heritable "security trait" to child OSes built on or based on it. I think you're looking at the history of computing on Unix systems with rose-colored glasses. The first computer viruses emerged on Unix systems-- though, again, this was only because it was the OS that was there and in use, not because of some inherent poor quality-- bugs happened regularly enough, and while many of the bumps back in the day happened due to similar reasons they still happen today (users, natch), there were plenty enough despite the suggested security practice of least possible privileges (which neither OS X nor Windows practice by default) Re-read what I wrote carefully. I fully acknowledge the Darwin components in OS X, but what I'm saying is that there are few full apps for the typical OS X user out there ported from BSD or any other nix. Though, your comment about running OpenBSD is noted, and I got nothing of note to criticize against it except for slow development. (Similar to Ducky, I wish Apple would get ZFS working properly on OS X, because that would make a huge splash, particularly in the server market) I disagree with your implication. Open source gets patched a lot more because there are far more forks in development than closed source. Between OS X and Windows, the amount of patches are relatively the same. Patching in a timely fashion* contributes to the security of a software (whether an OS or application), but the number or frequency of patches don't necessarily factor into that one way or the other (though the frequency of MS patches is a common criticism in the OS Warz). I also feel it's important that I point out that I'm a happy user of OS X (Tiger and Leopard) and Windows (XP, Vista, and Win 7), and professionally I manage a mostly-Windows (XP and Vista) network and have experience with hybrid (Linux-Windows) networks and some Linux and a small bit of OS X support. I'm not the most experienced professional here (I know for a fact that Ducky has a far wider range of experience), but I am coming at the topic without prejudice against any operating system in particular. I like all the popular ones, mostly for different reasons in each, and if anything I see more convergence in the interface and features between Apple's and Microsoft's offerings than I do the radical differences from 20 or more years ago. More and more, I find the battles raging between Windows and Mac OS becoming less and less relevant in terms of actual differences between the two. Outside of the command-line differences (and only because I'm not familiar with C# on Windows), there's really not much I can do on one that can't be done pretty much the same or similar on the other. Easy there ace. I'm no Terry. Although I am not the only sound engineer to end up a unix engineer where I work....hmm..... That said, here's something to complicate the works a bit between this discussion... I agree with you both. It's not simple nor is it a easy subject to boil down to talking points and I'm not sure you guys see your points don't necessarily contradict each other. That said, I'll throw in my OS WARZ rebuttal that obviously we should all go back to AmigaOS. It was far superior to Apple DOS.

17th September 2009, 10:10 PM	#17
daSkeptic Muse Join Date: Aug 2008 Location: Bellingham, WA ... under the cheese counter at Haggen Posts: 712	Originally Posted by Ducky ... we should all go back to AmigaOS. It was good enough for making Babylon 5 ...
	__________________ crud: noun - The SI unit of incredibility, equal to the movement of one-litre of hot air through a distance of one-metre in one-second. kudo: noun - The SI unit of credibility, reciprocal of the crud.

17th September 2009, 10:14 PM	#18
Akuta New Blood Join Date: Sep 2009 Posts: 8	Originally Posted by Epok I hope this isn't off the subject here but I need help with a debate I am having. I've always heard that people just don't write as many viruses for Mac because they don't have a customer base as large as PCs do. My friend claims that its much harder to write malevolent programs for Macs. I don't know much about programming but this just doesn't sound right to me. Isn't it just as hard to write viruses for Macs as it is for PCs? Well, as a programmer I can tell you that it is JUST as easy to write a virus for a Mac as it would be for a PC. All that is needed is to write it in a language that the Mac can read (such as C). The reason why we saw so many viruses come out into the wild for Windows is due to the sheer volume of Windows users in addition to the ease with which "Virus Lab" programs were written in Visual Basic (a language that at the time was only executable by Windows and Windows-clone OSes). There are plenty of viruses out there that affect more than one operating system. Not even Unix/Linux/BeOS/Linspire/CentOS/etc. are immune. All it takes is a person who knows a language that they can execute to write an application that can replicate itself (remember, viruses infect machines by being run locally. Worms spread themselves through computer vulnerabilities). Anyways, hope that helped. Though I haven't read all of the responses below, so I don't know if the answer has already been given. Edit : Please note that I'm only addressing the actual facts of WRITING the viruses... Not their impact due to security of a system.
Akuta New Blood Join Date: Sep 2009 Posts: 8	Last edited by Akuta; 17th September 2009 at 10:15 PM.

17th September 2009, 10:50 PM	#19
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by Ducky Easy there ace. I'm no Terry. Although I am not the only sound engineer to end up a unix engineer where I work....hmm..... Meh. It's not a matter of me bowing and saying your kung fu is greater than mine. I'm simply honest enough to know where my strengths are and that there are others with different strengths who can speak more to those topics than I can. Originally Posted by Ducky That said, here's something to complicate the works a bit between this discussion... I agree with you both. It's not simple nor is it a easy subject to boil down to talking points and I'm not sure you guys see your points don't necessarily contradict each other. You're right, of course. My main contention is that the original three points that were mentioned just aren't as clear-cut as they were presented. Both operating systems have their good (and, yes, great) points, and both have their respective warts. Over the years I've gone from behaving like I had a huge dog in the fight (I never did, but emotions get the better of us) to preferring to find and explore the areas of convergence and promoting (more) hybrid environments. Originally Posted by Ducky That said, I'll throw in my OS WARZ rebuttal that obviously we should all go back to AmigaOS. It was far superior to Apple DOS. And it was dog poop compared to BeOS. (I keed)
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

17th September 2009, 11:51 PM	#20
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by GreNME Meh. It's not a matter of me bowing and saying your kung fu is greater than mine. I'm simply honest enough to know where my strengths are and that there are others with different strengths who can speak more to those topics than I can. Hmm. Your ideas intrigue me and I wish to subscribe to your newsletter... Originally Posted by GreNME You're right, of course. My main contention is that the original three points that were mentioned just aren't as clear-cut as they were presented. Both operating systems have their good (and, yes, great) points, and both have their respective warts. Over the years I've gone from behaving like I had a huge dog in the fight (I never did, but emotions get the better of us) to preferring to find and explore the areas of convergence and promoting (more) hybrid environments. That I can get behind. I think open standards could do very well to integrate systems that do certain things very well in their own right with other systems that do other things very well. I work in a Solaris shop (mostly) but we do use windows environments for things they do very well (Exchange, Office, etc.) as well as IIS servers for some requirements to customers. We have MSSQL servers as well and while I prefer to work with our Solaris/Oracle/Mysql environment I have yet to not have use for my Windows VM to do certain things at work. Virtualization can help do lots of this, but we need to get companies (not just MS) to adhere more to open standards. Remember what MS did with Java? Well that's just one example, but the idea is there: Companies fear innovation when they think it will fight with their current projects. That they fear it isn't the bigger issue. Using new technologies instead of using dirty corporate tricks to screw with it is a better option for the user, and it's the users that make the sales. Security is a moving target. Security of different operating systems is difficult to reduce to simple terms because more than just one factor is involved, especially in specialized functions. But I digress... Originally Posted by GreNME And it was dog poop compared to BeOS. (I keed) I ran BeOS for a while. I was actually rather happy with it at the time. Now I run a variety of things, and they all have specific functions from desktop use to server to DAW etc... OS Holy wars are a sad example of reducing a very complicated set of issues down to talking points that really don't do anything but further marketing points that are at best half true. And I know we all hate the PC Vs. Mac commercials, right? Function determines form to me, but it also dictates security, which is an elusive and complicated matter much of the time. I'm not sure it's fair to say one operating system is more or less secure without also pointing out function of the operating system and what it is expected to perform and do. They all do have their security problems, but in the end the biggest security problem is the person using it, as security compromises usually start with their actions - whether they are a server op or a desktop user. A while ago I added Bruce Schneier's blog to the list of links in this section. I highly recommend reading his blog. It's very good, and his essays are very well done in regards not only to computer security, but overall security concerns in meatspace. On a last note, whatever kung fu I have is always something I can learn more for. I imagine I could learn a lot from GreNME, and everyone else that posts well reasoned and informed posts in this section. IT Kung Fu is like guitar playing. You can get pretty good playing on your own, and along with recordings but you get great by working with as many people as possible.
	Last edited by Ducky; 18th September 2009 at 12:51 AM.

18th September 2009, 12:53 AM	#21
jsiv King of Svalbard Join Date: Jul 2005 Location: Bortenfor alle blåner Posts: 4,105	Originally Posted by drkitten Basically, the interprocess security barrier (the stuff that keeps your email program from being able to scribble all over the document you're currently editing) in Windows is fundamentally broken in order to allow Windows processes (most notably, "Office") to play nicely together. This means that it's very easy for me to do what's called a privilege escalation attack on a Windows box and take the whole thing over if I can get you to run hostile code in user space. This is a fundamental difference in philosophy though. Windows was designed with the idea that a user is a user, and that anything the user is running should have access to everything the user has access to. This is why you can read and write to the memory of another process as long as it belongs to the same user. The only security boundary exists between different users. Now, memory protection prevents programs from accidentally doing it, but it has always been considered legitimate that programs can manipulate each other as long as they are run by the same user. In fact, you can even argue that this is a strength, since it allows closed source programs to easily be extended. Shatter attacks are not really related to this. They are related to the fact that the windowing and graphics system doesn't have any security within the same session. If a process with higher privileges running in the same session decides to listen for window messages, other processes in the session can send it messages. This was also largely intentional, because being able to manipulate and extend programs is beneficial. What these higher privilege processes should have done was spin off another process that handled the windowing. In other words if you have a virus scanner, the user interface and the backend that does the actual scanning should be separate. Graphics still doesn't really have any security to protect the user from itself, which means you can happily paint over important dialogs that belong to, say, IE protected mode or UAC, and thus trick the user into running you. This is one of several reasons why neither are considered security boundaries. Originally Posted by Akuta All it takes is a person who knows a language that they can execute to write an application that can replicate itself (remember, viruses infect machines by being run locally. Worms spread themselves through computer vulnerabilities). Anyways, hope that helped. Though I haven't read all of the responses below, so I don't know if the answer has already been given. Edit : Please note that I'm only addressing the actual facts of WRITING the viruses... Not their impact due to security of a system. Well.. A virus needs a way to run itself though, and it's usually be exploiting a platform-specific bug. If it can't, it's a trojan. OS X is full of these bugs, so there's no real reason why it couldn't have more viruses.
	__________________ Panama er landet eg drøymer om! Jula varer helt til påske!

18th September 2009, 02:01 AM	#22
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by Ducky A while ago I added Bruce Schneier's blog to the list of links in this section. I highly recommend reading his blog. It's very good, and his essays are very well done in regards not only to computer security, but overall security concerns in meatspace. Actually, on your recommendation a while back, I have started reading it (on an irregular basis). I forgot to thank you for that. Originally Posted by Ducky IT Kung Fu is like guitar playing. You can get pretty good playing on your own, and along with recordings but you get great by working with as many people as possible. I am so "borrowing" this for later use. Very well said.
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

18th September 2009, 09:17 AM	#24
Akuta New Blood Join Date: Sep 2009 Posts: 8	Originally Posted by jsiv Well.. A virus needs a way to run itself though, and it's usually be exploiting a platform-specific bug. If it can't, it's a trojan. OS X is full of these bugs, so there's no real reason why it couldn't have more viruses. A virus DOES need a way to run... To run itself? No. Something has to be done by the user to enable it to function. Many times the virus is housed within an application (or sent through email) and requires the user to run the application (remember, a virus is an application just like Word is an application) for the first time. Once run for the first time, the virus can then embed itself deep within the registry, within local files and within local applications which will cause the virus to "spread" within the machine. As for how they exploit the system, viruses exploit the system by getting the user of the system to run it. They cannot run themselves. Applications that utilize a system flaw to install itself are worms, not viruses. Worms spread themselves almost autonomously. Viruses require user interaction (meaning a user of the system HAS to run the virus the first time, whereas if you get infected by a worm it was merely a security flaw in the system and was infected by being connected to the internet). A trojan is a totally different ball of wax. A trojan is an application that piggybacks on another, seemingly useful application, and installs a back door into the system (i.e. the Trojan Horse tactic : "Here's this fancy big horse as a gift of honor. Oh, wait... I forgot to mention all of the soldiers hidden within that are going to attack you tonight and open your gates for the rest of my soldiers."). As for why Mac's don't have as MANY (note I didn't say as BAD) of viruses, I already addressed this. Volume of users as well as many "script kiddie" virus labs that were HEAVILY written in Visual Basic, which at the time only ran on Windows machines. This was the way people who have absolutely no clue as to how to write a program could create a virus and release it. A single person could release hundreds of variants of the virus in a single day, all with different payloads if they chose. The downfall to the virus lab softwares was that they tagged their own information into each of the viruses (i.e. A chunk of code that identified itself as from "Virus Lab X") which after the anti-virus software developers figured this out, they were able to make a computer immune to ALL viruses created with that specific virus lab generated software. Hope to have clarified this, Take care.
Akuta New Blood Join Date: Sep 2009 Posts: 8

18th September 2009, 09:56 AM	#25
jsiv King of Svalbard Join Date: Jul 2005 Location: Bortenfor alle blåner Posts: 4,105	The definitions are difficult and vague these days, but you're right. My mistake. A key generator that actually turns out to be malware is a trojan. In other words a standalone program that claims to be something other than what it is. If it's embedded in something else, it doesn't really qualify as that (and they didn't put the horse inside a birthday cake). Worms are self-replicating programs that spread automatically by exploiting bugs. Viruses are self-replicating programs that are embedded in other executables and spread locally automatically, but have to be manually transfered to another machine. This list doesn't cover everything though. What about malicious code that exploits a bug in, say, a web browser to install itself, and then spreads no further? Not a worm, and not a virus (but they tend to be labeled as the latter).
	__________________ Panama er landet eg drøymer om! Jula varer helt til påske!

18th September 2009, 11:44 AM	#26
drkitten Penultimate Amazing Join Date: Mar 2004 Location: Wits' End Posts: 17,338	Originally Posted by jsiv This is a fundamental difference in philosophy though. Windows was designed with the idea that a user is a user, and that anything the user is running should have access to everything the user has access to. .... which is simply another way of saying that "Windows was designed, fundamentally, to be insecure." Quote: Now, memory protection prevents programs from accidentally doing it, but it has always been considered legitimate that programs can manipulate each other as long as they are run by the same user. "Always been considered" by whom? The NIX family has never considered that to be legitimate, and any program open to the "world at large" (e.g., a web server, which runs as a single "user" but may be serving vastly different actual people out there in Internet-land) show that this is an overly simplistic view. You may be able to make a very nuanced argument against putting in a per-process security barrier (although I've never seen one successfully made), but that still puts you in favor of designing for insecurity in favor of greater usability. Quote: Shatter attacks are not really related to this. They are related to the fact that the windowing and graphics system doesn't have any security within the same session. If a process with higher privileges running in the same session decides to listen for window messages, other processes in the session can send it messages. This was also largely intentional, because being able to manipulate and extend programs is beneficial. Again, what you're saying is that Windows was designed to be insecure in the name of greater usability. Quote: Graphics still doesn't really have any security to protect the user from itself, which means you can happily paint over important dialogs that belong to, say, IE protected mode or UAC, and thus trick the user into running you. This is one of several reasons why neither are considered security boundaries. Or, alternatively, why you should have considered them to be security boundaries and designed the system to be secure. The NIX designers took a different approach about where they considered security boundaries should go, and as a result, designed a system with better compartmentalization and better defense-in-depth. Which makes *NIX and by extension OS X a more secure system (one that's harder to write hostile code for), because you need to get through more compartments....

18th September 2009, 02:13 PM	#27
GreNME Philosopher Join Date: Sep 2007 Location: Folsom Prison Posts: 6,412	Originally Posted by drkitten The NIX designers took a different approach about where they considered security boundaries should* go, and as a result, designed a system with better compartmentalization and better defense-in-depth. Which makes *NIX and by extension OS X a more secure system (one that's harder to write hostile code for), because you need to get through more compartments.... I have a torrent for a free copy of iWork that you should download...
	__________________ _{Like love, criminals will always find a way. -- foxholeatheist The kind of pacifism I endorse is brought about by eliminating one enemy combatant at a time.-- JoeyDonuts}

18th September 2009, 03:20 PM	#28
Akuta New Blood Join Date: Sep 2009 Posts: 8	Originally Posted by jsiv The definitions are difficult and vague these days, but you're right. My mistake. A key generator that actually turns out to be malware is a trojan. In other words a standalone program that claims to be something other than what it is. If it's embedded in something else, it doesn't really qualify as that (and they didn't put the horse inside a birthday cake). Worms are self-replicating programs that spread automatically by exploiting bugs. Viruses are self-replicating programs that are embedded in other executables and spread locally automatically, but have to be manually transfered to another machine. This list doesn't cover everything though. What about malicious code that exploits a bug in, say, a web browser to install itself, and then spreads no further? Not a worm, and not a virus (but they tend to be labeled as the latter). That's where the term "malware" comes in. Any software that is malicious in intent. If an application (in this case, we're talking about viruses/worms/etc.) uses an exploit to install itself it isn't a virus unless it is replicating itself. It is malware. "Bad software" so to speak. IF it does INDEED replicate itself, it is now in the realm of a virus. Viruses replicate. If you get infected with something that doesn't replicate itself for "survival" it's not technically a "virus" per se, but malware. That's the catch-all, anyways. An example of this would be browser highjackers that install browser helper objects (BHOs) that "steal" information about how and what you browse, your demographic information and port that over to a main server to keep track of you and advertise towards you in a very specific way. We call this adware, but it is just another malware application. Other browser highjackers include "plugins" such as "toolbars" and such that do the same thing. One of my LEAST favorite of these is the search-control BHO that takes any and all of the commonly used search pages and makes your browser SHOW that it's using them, only to return results by THEIR OWN search engine... Which are typically links to sites that have advertised with them (again, this one is adware, spyware AND malware).
Akuta New Blood Join Date: Sep 2009 Posts: 8

18th September 2009, 07:09 PM	#29
mikeyx Muse Join Date: Oct 2007 Posts: 593	Originally Posted by Ducky Hmm. Your ideas intrigue me and I wish to subscribe to your newsletter... That I can get behind. I think open standards could do very well to integrate systems that do certain things very well in their own right with other systems that do other things very well. I work in a Solaris shop (mostly) but we do use windows environments for things they do very well (Exchange, Office, etc.) as well as IIS servers for some requirements to customers. We have MSSQL servers as well and while I prefer to work with our Solaris/Oracle/Mysql environment I have yet to not have use for my Windows VM to do certain things at work. Virtualization can help do lots of this, but we need to get companies (not just MS) to adhere more to open standards. Remember what MS did with Java? Well that's just one example, but the idea is there: Companies fear innovation when they think it will fight with their current projects. That they fear it isn't the bigger issue. Using new technologies instead of using dirty corporate tricks to screw with it is a better option for the user, and it's the users that make the sales. Security is a moving target. Security of different operating systems is difficult to reduce to simple terms because more than just one factor is involved, especially in specialized functions. But I digress... I ran BeOS for a while. I was actually rather happy with it at the time. Now I run a variety of things, and they all have specific functions from desktop use to server to DAW etc... OS Holy wars are a sad example of reducing a very complicated set of issues down to talking points that really don't do anything but further marketing points that are at best half true. And I know we all hate the PC Vs. Mac commercials, right? Function determines form to me, but it also dictates security, which is an elusive and complicated matter much of the time. I'm not sure it's fair to say one operating system is more or less secure without also pointing out function of the operating system and what it is expected to perform and do. They all do have their security problems, but in the end the biggest security problem is the person using it, as security compromises usually start with their actions - whether they are a server op or a desktop user. A while ago I added Bruce Schneier's blog to the list of links in this section. I highly recommend reading his blog. It's very good, and his essays are very well done in regards not only to computer security, but overall security concerns in meatspace. On a last note, whatever kung fu I have is always something I can learn more for. I imagine I could learn a lot from GreNME, and everyone else that posts well reasoned and informed posts in this section. IT Kung Fu is like guitar playing. You can get pretty good playing on your own, and along with recordings but you get great by working with as many people as possible. curiosity, anyone ever play with either qnx or oberon system 3, as opposed to bluebox?
mikeyx Muse Join Date: Oct 2007 Posts: 593

18th September 2009, 07:22 PM	#30
Ducky Titanium Superhero Join Date: Jun 2005 Location: Saint Paul, Minnesota Posts: 10,769	Originally Posted by mikeyx curiosity, anyone ever play with either qnx or oberon system 3, as opposed to bluebox? I prefer to dink with minix over qnx when I am interested in a true microkernel playground. Not that qnx isn't one, I'm just more familiar with minix.