Re: The Myth of the secure Mac
- From: GreyCloud <cumulus@xxxxxxxx>
- Date: Mon, 31 Oct 2005 16:14:21 -0700
TheLetterK wrote:
>
> GreyCloud wrote:
> > TheLetterK wrote:
> >
> >>GreyCloud wrote:
> >>
> >>>TheLetterK wrote:
> >>>
> >>>
> >>>>GreyCloud wrote:
> >>>>
> >>>>
> >>>>>Michelle Ronn wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>One quick thing before I get started. I have been using a Mac for the
> >>>>>>past two years. I absolutely love it, and it is my machine of choice. I
> >>>>>>have admin'd Unix, PC, Mac and Mainframe networks for 20 years.
> >>>>>>
> >>>>>>One of my pet peeves of the Mac community is this false sense of
> >>>>>>security based on this logically unproven premise "There are no
> >>>>>>exploits for the Mac, therefore, there never will be;" or, "you do not
> >>>>>>need to run firewalls, anti-virus software, etc".
> >>>>>>
> >>>>>>Users who are less knowledgable about security issues are lulled into a
> >>>>>>false sense of security. For this reason, I fear that the first
> >>>>>>successful major security issue that hits the Mac community will have a
> >>>>>>devistating effect.
> >>>>>>
> >>>>>>Proper security practice dictates the following things (any OS can be
> >>>>>>made secure following this):
> >>>>>>Intelligent users not doing stupid things
> >>>>>>Proper use of a firewall and anti-virus software
> >>>>>
> >>>>>
> >>>>>You can't get AV for OS X.
> >>>>>And there are no viruses. Find one and show me.
> >>>>
> >>>>Would you accept a trojan or worm?
> >>>>
> >>>
> >>>
> >>>Show me one that is running in the wild.
> >>
> >>The fake word installer trojan is still floating around the p2p networks.
> >>
> >
> >
> > I haven't seen it, but the folks in comp.os.vms have.
> > And I bet that my ISP, bresnan, has as well. Probably why I
> > don't see it.
> >
> >
> >>>Nope. The server may have but I find nothing under Tiger or
> >>>Panther on the wifes Mac.
> >
> >
> >>Apple calls it 'Personal Web Server'. You can find it in Panther's
> >>sharing tab. It's really just Apache 1.x.
> >>
> >
> >
> > I looked but there are no processes like this running.
> Of course it wouldn't. You click on 'Personal Web Sharing' or whatever
> it is in the Sharing tab, and it starts Apache 1.x. Go ahead, start it
> and check the page they link you to.
>
> Just run 'httpd -v' on terminal, should show some version of Apache 1.x
> (it's 1.3.33 on Panther)
>
> > I upgraded to Tiger, and I know it is there.
> > The point is, Apple didn't make this an unnecessary process
> > that they'd expect an end user to be running.
> > And it would be a good idea that it isn't running. By
> > forcing the user to read up on Apache, they'd at least
> > understand how to use it first.
> They *don't*. They have a little check mark that says 'Personal Web
> Sharing' blatantly obvious in the Sharing preference pane. No indication
> that it might be dangerous, nor indication of what server Apple is
> actually using (Apache). There's certainly no documentation about it.
>
> Here's how a user can turn on Apache in OS X:
> http://img242.imageshack.us/img242/4795/apache2vd.jpg
>
> >
> >
> >>>The desktop mac isn't equipped to run as a server, nor did
> >>>Apple intend it to.
> >>
> >>Then why did they ship it with all these server daemons?
> >
> >
> > Beats me, but these processes aren't running by default.
> But can be turned on very easily, with no real warning for the user.
>
I don't see how they can be turned on unless the user turned
them on.
> > I suppose that two or more apples can be set up to run
> > Xgrid. But for the normal user, this just won't be needed
> > or necessary. It kind of reminds me of the old RedHat 5.2
> > Linux where everything is up and running.
> Which is very different from the even older Debian, where nothing is
> *installed* without the user at least deciding to do so.
>
I tried Debian before I tried RedHat. I actually liked it.
Then after a few more Linux distros I settled on Solaris and
CDE.
The docs were complete and well written.
> >
> >
> >>>Yeah, you can download Apache and run it.
> >>
> >>Why bother? I don't want to use Apache 2.x, and Apache 1.x already ships
> >>with OS X.
> >>
> >
> >
> > Doesn't matter as it isn't running by default.
> You claimed it didn't ship with OS X and had to be seperately
> downloaded. I have disproven your claim.
>
I stand corrected then, only because I didn't see it.
I have no use at home for any server software, and I don't
think my ISP would appreciate it if I used their ISP for my
own web server.
> >
> >
> >>>And yet I do not see this in the wild.
> >>
> >>As I've said--because the malicious element doesn't give a damn about Macs.
> >>
> >
> >
> > That I believe is a pure urban legend that hackers don't
> > care about the mac or other platforms in general.
> > Seeing that Sun runs the mlb.com website, this would be a
> > hackers delight to bring down that web site. But it is too
> > much trouble for hackers to figure out how to bypass
> > difficult security mechanisms. So their next best easy
> > target is M$ products. So much easier for them to cut their
> > teeth on.
> > But if they ever could write a virus for the Mac or any
> > other operating system, they'd have a big feather in their
> > cap and they know it.
> Believe what you will, I'd rather not live in a delusion thank you very
> much.
It isn't a delusion. Otherwise, it would have happened
already a few years ago.
The fact that there still isn't one in the wild for OS X or
Linux is a testament that it is still very difficult to do.
And I've yet to see any references or records to any one
being able to break into any VMS or OpenVMS system.
>
> >
> >
> >>>>Eh? I can pull an attachment off an e-mail (in GNU/Linux or FreeBSD) and
> >>>>run it just fine. No root needed. Not that I would ever consider doing
> >>>>so, but it's very possible to do it.
> >>>
> >>>
> >>>Sure, after you chmod +x to the particular file.
> >
> >
> >>Is that how Solaris operates? The BSDs and GNU/Linux have no such
> >>'safeguard'.
> >
> >
> > According to Sun, yes. It's a pain to install software on
> > UNIX. Sun doesn't have automatic download services. You
> > have to look up for recent patches, if any, and download
> > them... chmod +x the image, and then do the patchadd
> > service.
> I definitely prefer Debian's method. Manual patching? How distasteful.
>
It isn't too bad, and at least you know what went in. They
do give a patch summary after it is over.
> > With email stuff won't run when downloaded. I have to look
> > at the file, 'file filename' to see what it is if it is
> > executable, then chmod +x that file. This marks that file
> > mine, which the o/s will then recognize your right to run
> > it.
> > It's the same file mechanism with Linux.
> The only thing that blocks is execution of *binaries*, not reading or
> writing data to and from a file--644 (rw-r--r--) is default permissions
> for attachments.
It is the binaries that pose the problems. With any windows
it is just one mouse click for most malicious software in
emails and it is too late. With some emails, just receiving
them is too late.
Not a problem on other o/ses.
.
- Prev by Date: Re: The Myth of the secure Mac
- Next by Date: Re: The Myth of the secure Mac
- Previous by thread: Re: The Myth of the secure Mac
- Next by thread: Re: The Myth of the secure Mac
- Index(es):
Relevant Pages
|
Loading
