Re: 265,000 new zombie PCs a day!
- From: Oxford <colalovesosx@xxxxxxx>
- Date: Fri, 25 Aug 2006 08:52:16 -0600
Michelle Ronn <micron@xxxxxxxxxxx> wrote:
OSX is secure be cause of it's Unix background, which was designed
early on to be on networks, and Apple's deep diligence in polishing an
already secure OS. Windows never was designed to be a network, it's a
single user system, and that's why 99.999% viruses, only affect Windows
machines.
Secure because of its *nix background, please explain. The current
Windows core, which is based on Windows NT, and not DOS, has been
designed to be on networks since day 1. I am glad you use a Mac, but
get your facts straight. Being an idiot is not gonna help.
Windows has not been a single user system since XP shipped. Before,
there was "single user" DOS based Windows, and there was Windows NT.
Two complete separate OSs. The fact it is a single user system has NO
correlation with the fact that people write viruses for it. If you have
evidence to the contrary, I would be interested in seeing it.
i'm saying the internet is based on Unix, not dos or VMS/XP, so it's
always been a poor OS... security wise. Unix wrote the rules, thus OSX
is secure because of its long, battle tested history.
Someday you'll understand what I'm saying, but until then, you'll just
be confused on this subject.
The key is, do YOU understand what you are saying. I don't think so.
Ah, but your comments show you are out of the loop on many of your
responses.
Yes, and please provide a link to someone that was infected or had a
breached system before that patch was released? Waiting... The whole
thing you don't understand is that Apple works on the OS before a
problem appears, Microsoft does not. What you are pointing to are not
"massive" holes, they are are just tiny specs, that don't matter unless
an engineered, "cleanroom" example of a bogus network.
All OS vendors work on this stuff. The fact is, there are more people
outside than there are at the OS companies. External exposures are a
fact of life. Apple is no different than Microsoft in this regard.
Yes, but OSX has been tested far longer on world wide networks than XP.
Apple issued a security patch on August 2nd, 2006 this is what it fixed.
http://secunia.com/advisories/21253/
And who was ever affected by this? ... these are just cleanroom
examples, not real world issues.
The security of the system is as dependant on the user as anything
else. You put a box in a room with no connectivity, and there is a high
likelyhood it will be breached. Put an idiot in charge of a system that
opens all the ports, and the system will be breached. The OS cannot
protect you from that.
Not with OSX, you can open all the ports you want, but there is no
technical way into the system unless you have Admin access.
And how could anyone do this? Please give an example, a real world
example... okay? If you can't show an example of someone taking
"control an osx system" you are 100% wrong, it's really that simple.
The fact does remain that there is no known exploit out in the wild
that takes over an OS/X system. That does not mean that one is not out
there. It also is a logical fallacy to conclude that it would never
happen. Apple keeps patching the system, which means that the system
was vulnerable before the patch.
No, it DOES mean there is "no known" exploit out there, the Mac
community would know if this wasn't the case. And of course patching the
system, DOES NOT mean the system was vulnerable before the patch. Apple
actually polishes the OS before problems can appear. MS does not take
this approach.
Now the previous patch was released June 29th, 2006. So that's over a
month that OS X sat there with gaping holes in it and Apple said
nothing as they were getting ready to put out a patch. That's a whole
month OS X was wide open to attack if the user had all updates and
refused to protect their system via other means. Now I know this will
take a while to sink in. However I have hope that if someone as
clueless and ignorant as Oxford can figure it out, then a regular
person will know to protect their OS X system.
John, just admit that you are completely ignorant on this topic...
Please read the following and get back to us okay?
Um, when you cut an paste an article, you are supposed to give credit
to the author....
if i knew who the author was, and it was posted to web that would be
great, but this isn't the case.
Windows has no equivalent to OS X's bill of materials, so it cannot
validate permissions, dates and checksums of system and third-party
software.
actually, Windows has had stronger ACLs than OS X for quite some time.
OS X is only starting to catch up here with Tiger, and will do more
with Leopard.
agree.
Windows requires that users log in with administrative privileges
to install software, which causes many to use privileged accounts for
day-to-day usage.
Not completely true. Some apps do, most applications do not. The fact
that users run as admin privs by practice is a HUGE problem. One of the
many things that OSX does right.
yes, but from the outside, all changes to OSX require physical
"keyboard" Admin access.
Windows requires extraordinary effort to extract the path to, and
the files and TCP/UDP ports opened by, running services, and to certify
that they are valid.
um yeah, you use a tool to check this out, just like every other OS.
yes.
Microsoft made it easy for commercial applications to refuse a
debugger's attempt to attach to a process or thread. Attackers use this
same mechanism to cloak malware. A privileged user must never be denied
access to a debugger on any system. My right to track down malware on
my computers trumps vendors' interests in preventing piracy or
reverse-engineering. Maintaining that right is one of the reasons that
open source commercial OS kernels are so vital.
I guess this is refering to root kits. These are potential problems for
ANY OS. Even more so with virtualization support in the hardware.
although if a rootkit cannot be installed, there isn't much that can be
done to the system... and since OSX cannot be changed from the outside
without Admin access, it makes it an impossibility.
Access to the massive, arcane, nearly unstructured,
non-human-readable Windows Registry, which was to be obsolete by now,
remains the only resource a Windows attacker needs to analyze and
control a Windows system.
Total opinion here. The registry may be a pain, but I would like to see
a better system. All of these types of systems have their pros and
cons. I have yet to see a perfect one.
OSX has a far better system. No downside to Apple's approach. Install an
app, drag and drop, to remove an app, drag to the trash. Very clean.
Another trick that attackers learned from Microsoft is that
Registry entries can be made read-only even to the Administrator, so
you can find an exploit and be blocked from disarming it.
Malicious code or data can be concealed in NTFS files' secondary
streams. These are similar to HFS forks, but so few would think to look
at these.
As long as your virus scanning tools look at this, what is the problem?
Windows is not the only OS that supports these file sorts of file
systems.
Why would there be a need for Virus scanning if the OS was secure in the
first place? OSX doesn't require those tools, since that is handled by
Apple, not at the "user level", as Microsoft makes users do.
One of the strongest tools that Microsoft has to protect users fromAgain, author showing bias. ACLs work well, and are fine.
malware is Access Control Lists (ACLs), but standard tools make ACLs
difficult to employ, so most opt for NTFS's inadequate standard access
rights.
fine.
Why the above can't happen under OS X:
OS X has no user account with privileges exceeding root.
Maximum privilege is extended only to descendants of process ID 1
(init or Darwin's launchd), a role that is rarely used and closely
scrutinized.
Unlike services.exe, launchd executes daemons and scheduled
commands in a shell that's subject to login scripts, environment
variables, resource limits, auditing and all security features of
Darwin/OS X.
Apple's daemons have man pages, and third parties are duty-bound to
provide the same. Admins also expect to be able to run daemons, with
verbose reporting, in a shell for testing.
you are depending on application dev support for this, which they are
not bound to do. There are great OSX apps, and there are crappy ones...
just like any other OS.
yes, but the Mac community will disallow any application that does not
conform to quality standards, this is why there aren't really any bad
OSX apps, they simply don't survive the critical review process.
OS X Man pages document daemons' file dependencies, so
administrators can easily rework file permissions to match daemons'
reduced privileges.
Launchd can tripwire directories so that if they're altered
unexpectedly, launchd triggers a response.
If an attacker takes over a local or remote console, any effort to
install software or alter significant system settings cannot proceed
without entering the administrator's user name and password, even if
the console is already logged in as a privileged user. In other words,
even having privileges doesn't ensure that even an inside hacker can
arrange to keep them.
same strategy that takes over a system account in NT creates a problem
with this strategy as well. This problem has plagued many OSs over
time, including Unix.
OSX has never had a breach because of this design, because launchd
prevents it.
OS X has a single console and a single system log, both in plain
text.
OS X's nearest equivalent to the Registry is Netinfo, but this
requires authentication for modification. In later releases of OS X, it
is fairly sparse.
Applications have their own per-user and system-wide properties
files, private Registries if you like, stored in human-readable files
in standard locations.
This is different from a registry, but I fail to see how it is
necessarily better. You are arguing decentralization vs centralization.
Each has good and bad.
Except OSX's approach is clean and doesn't need to be managed, it's just
a drag and drop, seamless to user process.
Every installed file is traceable to a bill of materials that can
verify that the file is meant to exist, and that it and all of its
dependencies match their original checksums.
if the dev follows the rules. They are not forced to do so.
but again, within the Mac dev community, these rules are followed or the
program will not survive.
The directories used to hold OS X's privileged system executables
are sacred. Anything new that pops up there is immediately suspect.
by whom?
Ah, the Mac community controls all programs... so you can't have apps
that do not correctly follow these guidelines.
OS X does not require that a user be logged in as an administrator
to install software. The user or someone aiding the install needs to
know the name and password of a local administrative user to complete
the install. On a network, most software is installed using Remote
Desktop, an inexpensive Systems Management Server-like console.
Ok, total contradiction here.. you don't have to be logged in as an
admin, but you have to log in as the admin to do an install?
yes, if a standard user wants to install a program, he/she must have
Admin level access. (which must not be confused with root access)
When you
get the admin prompt when installing software, you are essentially
logging in as admin to allow the application to install. Yes, it is a
separate action, however, once you give the installation application
admin privs to install, it can do whatever it wants.
But Admin access cannot change the underlying system, it can only affect
the User, thus you cannot break OSX... and why no OSX systems have been
breached, no viruses, etc.
This was at the
heart of the issue with Sony Music and SunnComm.
Yes, but in Windows, that access level could actually alter the
"system", not so with OSX.
yes.The UNIX/POSIX API, standard command-line tools and open source
tools leave malware unable to hide from a competent OS X administrator.
It takes a new UNIX programmer longer to choose an editor than it does
to write a console app that walks the process tree listing privileged
processes. Finding the owners of open TCP/UDP ports or open files is
similarly trivial. The "system" is not opaque.
1) Does not address root kits. and 2) the same can be said for Windows NT
Basic OS X features can be put to use to make life miserable for
malware. For example, Windows' hackable restore points are done better
by OS X's ability to create encrypted, read-only disk images. They're
simpler than archives, and you can mount them as volumes anywhere in
your file hierarchy.
I don't see where this is unique.
yes.Likewise, OS X Server will image any Mac client or server's local
drives and maintain safe copies that can be used not only for
restoration, but which can be booted from to guarantee that there's no
trace of infection.
can be done easily with Windows Server as well....
When erase-and-reinstall is the only way to be sure, OS X ServerAnother contradiction, .Mac is an external application.
automates it. It can safely capture the affected Mac's active drives
before having that Mac boot from the fresh install image.
So, after all this, do I have enough to judge Windows inherently more
vulnerable to severe malware than OS X? I do.
I've been writing about these shortcomings for years, and it always
traces back to Microsoft's untenable policy of maintaining gaps in
Windows security to avoid competing with 3rd party vendors and
certified partners. Apple's taking a different approach: What users
need is in the box: Anti-virus, anti-spam, encryption, image backup and
restore, offsite safe storage through .Mac, and launchd. Pretty soon
any debate with Microsoft over security can be ended in one round when
Apple stands up, says "launchd," and sits back down.
no. .Mac is not an application, it's a website / webdavsite / mailserver
/ sync server / calendar server / backup server / that interacts with
OSX, iLife, iCal etc. All the "apps" that work with it, reside on the
client / OSX machine.
Sorry Slade, OSX is just not a vulerable OS, no matter how popular it
becomes. It's just not built like Windows, someday you'll learn, but
until then, you'll play the FOOL on CSMA.
Only a fool would believe that any OS is completely secure....
Well, it's a new age, and I think you'd agree Apple is the best in the
world at designing software / oses, so until there is a breach, I'm
right, and you are still living in a world damaged by Microsoft inept
ability to build a secure OS.
.
- Follow-Ups:
- Re: 265,000 new zombie PCs a day!
- From: Michelle Ronn
- Re: 265,000 new zombie PCs a day!
- References:
- 265,000 new zombie PCs a day!
- From: Elijah Baley
- Re: 265,000 new zombie PCs a day!
- From: Mike
- Re: 265,000 new zombie PCs a day!
- From: Jim Polaski
- Re: 265,000 new zombie PCs a day!
- From: Mike
- Re: 265,000 new zombie PCs a day!
- From: Oxford
- Re: 265,000 new zombie PCs a day!
- From: John Slade
- Re: 265,000 new zombie PCs a day!
- From: Oxford
- Re: 265,000 new zombie PCs a day!
- From: Michelle Ronn
- 265,000 new zombie PCs a day!
- Prev by Date: Re: Latest Vista Bad News: No HD-DVD OR BluRay For You!
- Next by Date: Re: Dell Exits MP3 Player. IPOD RULES!
- Previous by thread: Re: 265,000 new zombie PCs a day!
- Next by thread: Re: 265,000 new zombie PCs a day!
- Index(es):
Relevant Pages
|
