Wednesday, December 26

OSX, Windows, and security

Posted today as a comment. Please read inline (Italics is for the comment, non-italics is for me).

You are correct that third-party applications are weak points. This applies equally if not moreso to Mac OS X. I think there is use of more third-party apps under Mac OS X than typically by Windows XP/Vista users.

I'm not talking about 3rd party apps. I am talking about Open source apps that are integrated into the OS. Apache, Mysql, tcpdump, bind..etc.. Neither OS supports the updating of a 3rd party app through their Software Update package. They SHOULD. I talked about this back here.

Windows is, in fact, much more open than Mac OS X. Mac OS X upon release looked nothing like FreeBSD 4, which it was based on. Note that FreeBSD 5 was almost done at the time Mac OS X was released and FreeBSD is now on version 7.

Windows is more open than OSX? OSX contains Open Source code, and Windows total code is closed. So right there, by default, you are wrong. OSX was BASED on Freebsd. No one says it is anymore. Far from it. Technically it could be argued that OSX is based on NEXTSTep.

Microsoft provides symbol tables and wonderful debugging tools for its applications. Apple provides nothing in this area of comfort.

Apparently you have never looked at Xcode and all the debugging apps that are OSX based?

When Microsoft releases a specification, especially one based around security - thousands of intelligent code reviewers with the right kind of security backgrounds get to review it. Microsoft offers Blue Hat and other forums where the best and brightest in the security world get to give input into their process of building a secure operating system along with secure applications.

Yes, when Microsoft releases a SPECIFICATION, it is reviewed. Not CODE. Neither does Apple. Btw -- how did that OpenDoc xml specification do? Oh that's right, got rejected. Microsoft does offer Blue Hat and the such, but the attendance is thin, is under NDA, and is secretive.

Apple throws rotten apples at vulnerability researchers.

Apple's product security team gives credit where credit is due. What do you want the product security team to do? Pay vulnerability researchers? MSFT doesn't do that either. That comment just makes no sense. Anyone that has actually worked with Apple Product Security team (and yes, I have) know they take the time to respond to an issue. Don't believe everything you read in the press.

Microsoft launched the Trustworthy Computing Initiative in 2002. Apple has never spent a dime or taken any "breaks" to check their code for security. Microsoft has been doing this for almost 6 years now and have applied it to all of their software. Security is baked into Microsoft applications.

WRONG. Apple does spend dimes on security, lots of them. Except they don't need a separate department, (oh wait... they have one it's called the Product Security team), to manage all the vulnerabilites.

For Apple, it's iced on as "features". You can just look at Matasano or anyone's assessment of the security features in Mac OS X LeoTard. It's abominable to think that Apple is doing a good job with regards to security.

I agree. Apple could do more. A lot more. I know they are taking steps to improve security especially in Quicktime. I can't talk anymore about that though.

I am anxious to see the mantra "replace Mom and Dad's computer with a Mac this Christmas" backfire this year.

That's what they said last year too.

Do you remember why people write viruses?

Lack of a home life? Or to make money?

They write viruses to teach stupid people lessons.

Yeah? Or they are doing it for fun and profit. I'll stick with my thoughts.

You are that stupid person. Apple fanboys will eat their words when something bad happens this year.

That's what they said last year, and the year before. I'm not stupid. I know it's a reality. Our time is coming. I take a few extra steps to secure my computer.

And Apple doesn't care. They will wash their hands of liability while their customers suffer. They aren't "doing anything to stop the problem".

Wrong. See above. I can't talk about it any further.

They aren't "solving the QuickTime vulnerability problem". This would mean implementing a software assurance program. This would mean implementing something such as the Microsoft Security Development Lifecycle. Apple has not done this.

It doesn't mean that, it just means that the Quicktime team needs to re-look at all their code and secure it. You don't need a program or another acronym to solve the problem. Apple just needs to fix their code, they are, again, see above. Can't talk about it any further.

Apple does not "test test test test and test". That's what Microsoft does. Apple does not test at all... they think that testing and debugging are the same thing! A "quality test program" means integrating Quality Risk Management.

Riiiight. So Apple never seeds developer releases to test stuff?

It is held strongly by the Enterprise and research community that Sourcefire is the worst security company in the history of security companies.

Really? Is that why Snort is the IDS to which all other IDS's are measured? Is that why we have products that other companies can't even fathom? Please, show me this "strongly" held opinion.

Why haven't they been bought yet?

Tried that once, remember the whole CHKP thing?

Why are they going out of business?

What? Who said we are going out of business? Last time I checked we IPO'ed? We're making money?

I would never start a company based on an open-source product that is doomed to fail because of its architecture. Network intrusion detection was dead on arrival, but you think the 1998 Ptacek/Newsham paper would have killed it for sure. What is wrong with Sourcefire to think that they could continue this on for 10 years?

You would never make any money either apparently. Also, Um, what code do we have that counters the Ptacek/Newsham paper? Target based fragmentation? We've even take it a step further and countered Target based stream reassembly?

Windows vulnerabilities cause less damage.

$ lost by Blaster < $ lost by Quicktime. Yeah, um, no? Let's check our facts here.

Most are under a risk management plan, where an Enterprise business or government agency has compensating controls. They also have backups. Mac OS X users never have backups. I have never met a single one that does backups.

Time Machine was invented to solve this problem. Works for me.

Most Mac OS X users are complete newbies, that's why they are using Apple in the first place. If they already knew Windows well - they would stay with it.

Yeah, all people want that bloatware and Vista that doesn't work with their hardware. However, I will agree that most OSX users are newbies. Welcome. I will also disagree and say that most security people I know use OSX.

In the event of an emergency, Mac OS X users cannot help themselves. They rely on Apple to fix their problems. They can just take their laptop or iPod back to the Apple store and a Genius can order their replacement.

I know, isn't that a novel idea?

Even if it's a simple matter such as a battery or hard drive - expect to wait 4 to 8 weeks while your new equipment arrives.

Or, um... they have a shitton of them in the store. I've went to an Apple store for a battery problem. Walked out with a brand new battery. I've never walked into a Microsoft Store and done that... oh yeah, that's because....

This is what is known to me as "a lot more damage". It's no wonder that Enterprises and government agencies don't use Apple computers!

Hm.. Didn't read the news this week did you? I know LtC Wallington, and I applaud his efforts.

Most Apple users don't care; they are used to crappy service and long wait times. They waited in line for their iPhone for 26 hours -- waiting for their replacement iPhone that doesn't have a faulty antenna or battery (or whatever) "isn't that big of a deal" -- even if it takes 6 weeks!

I only waited 4 hours. On release day. They people that waited 26 were just trying to make the news. They succeeded.

Most Apple products are purchased by Dad or on credit anyways -- so it's not like it's real money!

Where do you get this utterly pointless statistic?

Where did this conversation go anyway? You were wrong "ANONYMOUS".


Anonymous said...

Yawn, these people tire me out. It's useless to even try.

jebro said...

I was going to agree with the above commenter, these people are a dime a dozen. I wanted to ask why you were even wasting your time with this guy, but then I got to the part about if they knew Windows well they'd stay with it.

I've used Mac since '94 and prefer Mac, though I don't consider myself a fanboy; I can definitely see the faults of Apple and will readily admit them. I'm currently an enterprise systems administrator, responsible for many linux servers and a handful of Windows servers (plus the Windows workstation I'm forced to use, thank god for SecureCRT). The Windows machines are painful to work on. The logs tell you nothing, and the amount of effort you have to put into securing them is a waste of my time. I'd just put linux on them if our DBA's didn't insist on SQL Server.

The point is, I've got extensive experience with all three platforms, and my platform of choice is OS X on a Mac.

Joel Esler said...

I do it because I want people to learn _why_ they are wrong. I don't want people to spit out mindless marketing and rhetoric. I don't want to diss people, I don't want to humiliate. I want people to learn WHY they are wrong. Mostly it comes from not studying your subject matter. (In this case OSX).