Skip to main content

OSX, Windows, and security

Posted today as a comment. Please read inline (Italics is for the comment, non-italics is for me).

You are correct that third-party applications are weak points. This applies equally if not moreso to Mac OS X. I think there is use of more third-party apps under Mac OS X than typically by Windows XP/Vista users.

I'm not talking about 3rd party apps. I am talking about Open source apps that are integrated into the OS. Apache, Mysql, tcpdump, bind..etc.. Neither OS supports the updating of a 3rd party app through their Software Update package. They SHOULD. I talked about this back here.

Windows is, in fact, much more open than Mac OS X. Mac OS X upon release looked nothing like FreeBSD 4, which it was based on. Note that FreeBSD 5 was almost done at the time Mac OS X was released and FreeBSD is now on version 7.

Windows is more open than OSX? OSX contains Open Source code, and Windows total code is closed. So right there, by default, you are wrong. OSX was BASED on Freebsd. No one says it is anymore. Far from it. Technically it could be argued that OSX is based on NEXTSTep.

Microsoft provides symbol tables and wonderful debugging tools for its applications. Apple provides nothing in this area of comfort.

Apparently you have never looked at Xcode and all the debugging apps that are OSX based?

When Microsoft releases a specification, especially one based around security - thousands of intelligent code reviewers with the right kind of security backgrounds get to review it. Microsoft offers Blue Hat and other forums where the best and brightest in the security world get to give input into their process of building a secure operating system along with secure applications.

Yes, when Microsoft releases a SPECIFICATION, it is reviewed. Not CODE. Neither does Apple. Btw -- how did that OpenDoc xml specification do? Oh that's right, got rejected. Microsoft does offer Blue Hat and the such, but the attendance is thin, is under NDA, and is secretive.

Apple throws rotten apples at vulnerability researchers.

Apple's product security team gives credit where credit is due. What do you want the product security team to do? Pay vulnerability researchers? MSFT doesn't do that either. That comment just makes no sense. Anyone that has actually worked with Apple Product Security team (and yes, I have) know they take the time to respond to an issue. Don't believe everything you read in the press.

Microsoft launched the Trustworthy Computing Initiative in 2002. Apple has never spent a dime or taken any "breaks" to check their code for security. Microsoft has been doing this for almost 6 years now and have applied it to all of their software. Security is baked into Microsoft applications.

WRONG. Apple does spend dimes on security, lots of them. Except they don't need a separate department, (oh wait... they have one it's called the Product Security team), to manage all the vulnerabilites.

For Apple, it's iced on as "features". You can just look at Matasano or anyone's assessment of the security features in Mac OS X LeoTard. It's abominable to think that Apple is doing a good job with regards to security.

I agree. Apple could do more. A lot more. I know they are taking steps to improve security especially in Quicktime. I can't talk anymore about that though.

I am anxious to see the mantra "replace Mom and Dad's computer with a Mac this Christmas" backfire this year.

That's what they said last year too.

Do you remember why people write viruses?

Lack of a home life? Or to make money?

They write viruses to teach stupid people lessons.

Yeah? Or they are doing it for fun and profit. I'll stick with my thoughts.

You are that stupid person. Apple fanboys will eat their words when something bad happens this year.

That's what they said last year, and the year before. I'm not stupid. I know it's a reality. Our time is coming. I take a few extra steps to secure my computer.

And Apple doesn't care. They will wash their hands of liability while their customers suffer. They aren't "doing anything to stop the problem".

Wrong. See above. I can't talk about it any further.

They aren't "solving the QuickTime vulnerability problem". This would mean implementing a software assurance program. This would mean implementing something such as the Microsoft Security Development Lifecycle. Apple has not done this.

It doesn't mean that, it just means that the Quicktime team needs to re-look at all their code and secure it. You don't need a program or another acronym to solve the problem. Apple just needs to fix their code, they are, again, see above. Can't talk about it any further.

Apple does not "test test test test and test". That's what Microsoft does. Apple does not test at all... they think that testing and debugging are the same thing! A "quality test program" means integrating Quality Risk Management.

Riiiight. So Apple never seeds developer releases to test stuff?

It is held strongly by the Enterprise and research community that Sourcefire is the worst security company in the history of security companies.

Really? Is that why Snort is the IDS to which all other IDS's are measured? Is that why we have products that other companies can't even fathom? Please, show me this "strongly" held opinion.

Why haven't they been bought yet?

Tried that once, remember the whole CHKP thing?

Why are they going out of business?

What? Who said we are going out of business? Last time I checked we IPO'ed? We're making money?

I would never start a company based on an open-source product that is doomed to fail because of its architecture. Network intrusion detection was dead on arrival, but you think the 1998 Ptacek/Newsham paper would have killed it for sure. What is wrong with Sourcefire to think that they could continue this on for 10 years?

You would never make any money either apparently. Also, Um, what code do we have that counters the Ptacek/Newsham paper? Target based fragmentation? We've even take it a step further and countered Target based stream reassembly?

Windows vulnerabilities cause less damage.

$ lost by Blaster < $ lost by Quicktime. Yeah, um, no? Let's check our facts here.

Most are under a risk management plan, where an Enterprise business or government agency has compensating controls. They also have backups. Mac OS X users never have backups. I have never met a single one that does backups.

Time Machine was invented to solve this problem. Works for me.

Most Mac OS X users are complete newbies, that's why they are using Apple in the first place. If they already knew Windows well - they would stay with it.

Yeah, all people want that bloatware and Vista that doesn't work with their hardware. However, I will agree that most OSX users are newbies. Welcome. I will also disagree and say that most security people I know use OSX.

In the event of an emergency, Mac OS X users cannot help themselves. They rely on Apple to fix their problems. They can just take their laptop or iPod back to the Apple store and a Genius can order their replacement.

I know, isn't that a novel idea?

Even if it's a simple matter such as a battery or hard drive - expect to wait 4 to 8 weeks while your new equipment arrives.

Or, um... they have a shitton of them in the store. I've went to an Apple store for a battery problem. Walked out with a brand new battery. I've never walked into a Microsoft Store and done that... oh yeah, that's because....

This is what is known to me as "a lot more damage". It's no wonder that Enterprises and government agencies don't use Apple computers!

Hm.. Didn't read the news this week did you? I know LtC Wallington, and I applaud his efforts.

Most Apple users don't care; they are used to crappy service and long wait times. They waited in line for their iPhone for 26 hours -- waiting for their replacement iPhone that doesn't have a faulty antenna or battery (or whatever) "isn't that big of a deal" -- even if it takes 6 weeks!

I only waited 4 hours. On release day. They people that waited 26 were just trying to make the news. They succeeded.

Most Apple products are purchased by Dad or on credit anyways -- so it's not like it's real money!

Where do you get this utterly pointless statistic?

Where did this conversation go anyway? You were wrong "ANONYMOUS".


Anonymous said…
Yawn, these people tire me out. It's useless to even try.
pr0le said…
I was going to agree with the above commenter, these people are a dime a dozen. I wanted to ask why you were even wasting your time with this guy, but then I got to the part about if they knew Windows well they'd stay with it.

I've used Mac since '94 and prefer Mac, though I don't consider myself a fanboy; I can definitely see the faults of Apple and will readily admit them. I'm currently an enterprise systems administrator, responsible for many linux servers and a handful of Windows servers (plus the Windows workstation I'm forced to use, thank god for SecureCRT). The Windows machines are painful to work on. The logs tell you nothing, and the amount of effort you have to put into securing them is a waste of my time. I'd just put linux on them if our DBA's didn't insist on SQL Server.

The point is, I've got extensive experience with all three platforms, and my platform of choice is OS X on a Mac.
Joel Esler said…
I do it because I want people to learn _why_ they are wrong. I don't want people to spit out mindless marketing and rhetoric. I don't want to diss people, I don't want to humiliate. I want people to learn WHY they are wrong. Mostly it comes from not studying your subject matter. (In this case OSX).

Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button