Re: 265,000 new zombie PCs a day!

"John Slade" <hitman86@xxxxxxxxxxx> wrote:

Security should not be handled at the user level, it should be done at
the OS level like Apple does.

Oxford, there are so many holes in OS X that will let an attacker take
over the machine it's insane. Lots of web content can just deposit viruses
on OS X. It's just that OS X is so obscure nobody tries to attack it save a
few just to prove a point. There is no point in attacking OS X when you're
going to find a Windows system 95% of the time.

Oh, Slade... ready to embarrass yourself again? You are such a buffoon
on this topic, you always lose, and lose badly.

There are 10's of millions of Macs on the internet 24/7/365... and not a
SINGLE one has been breached. No software that is known today can break
into OSX, and that's proven every single minute of every day.

OSX is secure be cause of it's Unix background, which was designed early
on to be on networks, and Apple's deep diligence in polishing an already
secure OS. Windows never was designed to be a network, it's a single
user system, and that's why 99.999% viruses, only affect Windows
machines.

Someday you'll understand what I'm saying, but until then, you'll just
be confused on this subject.

Why microsoft refuses to fix the entire
problem is embarrassing, or perhaps they don't have the skills, but
either way a "user" should never have to worry about viruses/zombies and
the like.

Apple hasn't fixed the "entire problem" on OS X. Just look at the time
between the last two critical security patches Apple issued for OS X. The
time between them is the time OS X had big security holes that were
unprotected. Look I'll explain it to you like you're a clueless dummy.

Yes, and please provide a link to someone that was infected or had a
breached system before that patch was released? Waiting... The whole
thing you don't understand is that Apple works on the OS before a
problem appears, Microsoft does not. What you are pointing to are not
"massive" holes, they are are just tiny specs, that don't matter unless
an engineered, "cleanroom" example of a bogus network.

Apple issued a security patch on August 2nd, 2006 this is what it fixed.

http://secunia.com/advisories/21253/

And who was ever affected by this? ... these are just cleanroom
examples, not real world issues.

Now in that list are security holes that would allow someone to take
control of the OS X system and run any program they wanted without
permission.

And how could anyone do this? Please give an example, a real world
example... okay? If you can't show an example of someone taking "control
an osx system" you are 100% wrong, it's really that simple.

Now the previous patch was released June 29th, 2006. So that's over a
month that OS X sat there with gaping holes in it and Apple said nothing as
they were getting ready to put out a patch. That's a whole month OS X was
wide open to attack if the user had all updates and refused to protect their
system via other means. Now I know this will take a while to sink in.
However I have hope that if someone as clueless and ignorant as Oxford can
figure it out, then a regular person will know to protect their OS X system.

John, just admit that you are completely ignorant on this topic...
Please read the following and get back to us okay?

Reasons why OSX is so secure when compared to Windows...

The deep rooted problems with Windows:

All Windows background processes/daemons are spawned from a single
hyper-privileged process and referred to as services.

By default, Windows launches all services with SYSTEM-level
privileges.

SYSTEM is a pseudo-user (LocalSystem) that trumps Administrator
(like UNIX's root) in privileges. SYSTEM cannot be used to log in, but
it also has no password, no login script, no shell and no environment,
therefore

The activity of SYSTEM is next to impossible to control or log.

Most of the code running on any Windows system at a given time is
related to services, most or all of which run with SYSTEM privileges,
therefore
Successful infection of running Windows software carries a good
chance of access to SYSTEM privileges.

Windows buries most privileged software, service executables and
configuration files in a single, unstructured massive directory
(SYSTEM32) that is frequently used by third parties. Windows will
notify you on an attempt to overwrite one of its own system files
stored here, but does not try to protect privileged software.

Microsoft does not sign or document the name and purpose of the
files it places in SYSTEM32.

Windows has no equivalent to OS X's bill of materials, so it cannot
validate permissions, dates and checksums of system and third-party
software.

Windows requires that users log in with administrative privileges
to install software, which causes many to use privileged accounts for
day-to-day usage.

Windows requires extraordinary effort to extract the path to, and
the files and TCP/UDP ports opened by, running services, and to certify
that they are valid.

Microsoft made it easy for commercial applications to refuse a
debugger's attempt to attach to a process or thread. Attackers use this
same mechanism to cloak malware. A privileged user must never be denied
access to a debugger on any system. My right to track down malware on
my computers trumps vendors' interests in preventing piracy or
reverse-engineering. Maintaining that right is one of the reasons that
open source commercial OS kernels are so vital.

Access to the massive, arcane, nearly unstructured,
non-human-readable Windows Registry, which was to be obsolete by now,
remains the only resource a Windows attacker needs to analyze and
control a Windows system.

Another trick that attackers learned from Microsoft is that
Registry entries can be made read-only even to the Administrator, so
you can find an exploit and be blocked from disarming it.

Malicious code or data can be concealed in NTFS files' secondary
streams. These are similar to HFS forks, but so few would think to look
at these.

One of the strongest tools that Microsoft has to protect users from
malware is Access Control Lists (ACLs), but standard tools make ACLs
difficult to employ, so most opt for NTFS's inadequate standard access
rights.


Why the above can't happen under OS X:

OS X has no user account with privileges exceeding root.

Maximum privilege is extended only to descendants of process ID 1
(init or Darwin's launchd), a role that is rarely used and closely
scrutinized.

Unlike services.exe, launchd executes daemons and scheduled
commands in a shell that's subject to login scripts, environment
variables, resource limits, auditing and all security features of
Darwin/OS X.

Apple's daemons have man pages, and third parties are duty-bound to
provide the same. Admins also expect to be able to run daemons, with
verbose reporting, in a shell for testing.

OS X Man pages document daemons' file dependencies, so
administrators can easily rework file permissions to match daemons'
reduced privileges.

Launchd can tripwire directories so that if they're altered
unexpectedly, launchd triggers a response.

If an attacker takes over a local or remote console, any effort to
install software or alter significant system settings cannot proceed
without entering the administrator's user name and password, even if
the console is already logged in as a privileged user. In other words,
even having privileges doesn't ensure that even an inside hacker can
arrange to keep them.

OS X has a single console and a single system log, both in plain
text.

OS X's nearest equivalent to the Registry is Netinfo, but this
requires authentication for modification. In later releases of OS X, it
is fairly sparse.

Applications have their own per-user and system-wide properties
files, private Registries if you like, stored in human-readable files
in standard locations.

Every installed file is traceable to a bill of materials that can
verify that the file is meant to exist, and that it and all of its
dependencies match their original checksums.

The directories used to hold OS X's privileged system executables
are sacred. Anything new that pops up there is immediately suspect.

OS X does not require that a user be logged in as an administrator
to install software. The user or someone aiding the install needs to
know the name and password of a local administrative user to complete
the install. On a network, most software is installed using Remote
Desktop, an inexpensive Systems Management Server-like console.

The UNIX/POSIX API, standard command-line tools and open source
tools leave malware unable to hide from a competent OS X administrator.
It takes a new UNIX programmer longer to choose an editor than it does
to write a console app that walks the process tree listing privileged
processes. Finding the owners of open TCP/UDP ports or open files is
similarly trivial. The "system" is not opaque.

Basic OS X features can be put to use to make life miserable for
malware. For example, Windows' hackable restore points are done better
by OS X's ability to create encrypted, read-only disk images. They're
simpler than archives, and you can mount them as volumes anywhere in
your file hierarchy.

Likewise, OS X Server will image any Mac client or server's local
drives and maintain safe copies that can be used not only for
restoration, but which can be booted from to guarantee that there's no
trace of infection.

When erase-and-reinstall is the only way to be sure, OS X Server
automates it. It can safely capture the affected Mac's active drives
before having that Mac boot from the fresh install image.

So, after all this, do I have enough to judge Windows inherently more
vulnerable to severe malware than OS X? I do.

I've been writing about these shortcomings for years, and it always
traces back to Microsoft's untenable policy of maintaining gaps in
Windows security to avoid competing with 3rd party vendors and
certified partners. Apple's taking a different approach: What users
need is in the box: Anti-virus, anti-spam, encryption, image backup and
restore, offsite safe storage through .Mac, and launchd. Pretty soon
any debate with Microsoft over security can be ended in one round when
Apple stands up, says "launchd," and sits back down.

---

Sorry Slade, OSX is just not a vulerable OS, no matter how popular it
becomes. It's just not built like Windows, someday you'll learn, but
until then, you'll play the FOOL on CSMA.

-
.

Relevant Pages

  • Re: 265,000 new zombie PCs a day!
    ... there are so many holes in OS X that will let an attacker ... Windows never was designed to be a network, ... Apple hasn't fixed the "entire problem" on OS X. ... in privileges. ...
    (comp.sys.mac.advocacy)
  • Re: 265,000 new zombie PCs a day!
    ... there are so many holes in OS X that will let an attacker take over the machine it's insane. ... Windows never was designed to be a network, it's a single user system, and that's why 99.999% viruses, only affect Windows machines. ... in privileges. ... install software or alter significant system settings cannot proceed ...
    (comp.sys.mac.advocacy)
  • Re: Why Troll? Was Re: Petition To Change CSMA Name
    ... Why do Macintosh HATE mongers hang out in a Mac advocacy group? ... use Windows, knowing that people like them are its advocates? ... For over 20 years Apple used entirely different processors from IBM ... efficient Intel processors. ...
    (comp.sys.mac.advocacy)
  • Re: Dvorak Writes Stupidest Computer Article Of All Time
    ... Don't be - once you are forced into using Windows, ... Shame on them paying Dvorak to write it!! ... Will Apple Adopt Windows? ... the Mac, this didn't happen. ...
    (comp.sys.mac.advocacy)
  • Re: $1100 laptop shootout, MacBook vs Dell Inspiron E1045
    ... A normal Windows user wouldn't come here in the first place (billions ... Apple and its products are immaterial ... Maccie double standard at work, ... Windows users can compare the Mac to ...
    (comp.sys.mac.advocacy)