Size Doesn't Matter

by Jason Deraleau


With the recent pain that SoBig and Blaster have brought to computer users around the world, a Mac evangelist would hope that more and more people are considering the Apple platform. While we can hardly expect droves of Windows users to switch after these frustrations, we can at least take pleasure in our relative invulnerability from them. Sure, your inbox and mine as well has been flooded with PIF and SCR files, but they don't break anything and after a few Mail seems to be piping them to the Junk folder where they belong.



But what is it that helps keep us safe from harm? Is it because we have a minority platform? Is it because of stronger security concerns by Apple's developers? Or have we inherited Unix's legacy of security? While all of these come into play, far too many people seem to be pointing to the first.



Virus writers tend to not have convictions. While you might find messages imploring "Billy" Gates to secure his software, don't be fooled into thinking that these malicious individuals write their software as a political statement. Far from it. What drives these miscreants is something far simpler than a desire for more secure software. Besides, if Microsoft really took security to heart, these folks wouldn't get to have their fun.



No, something much more basic is involved here. I think it's the challenge. There's a good amount of challenge involved in writing a virus, hacking a system, what have you. But, just like everything else in life, there are varying forms of challenges involved in computing. At some point we all face the challenge of first learning to use a computer. How to click the mouse, type in some text, maybe use the command line. Then there is the challenge of learning the Internet and its many wonders. These are things that all users go through.



If you want to be a malicious person, there are plenty of challenges for bad purposes in computing as well. And if you're looking to get your foot in the door, Microsoft Windows offers plenty of easy entrances. Due to the general lack of consideration for security in Windows, one can write a pretty destructive program with very little effort. The operating system itself does very little to restrict a user's actions, nor does it do much to restrict the actions of an application that might be running on that user's computer.



The Windows security model, which, contrary to popular belief, does exist, isn't as well thought out as that present in a Unix operating system. On top of that, it doesn't have 30 years of corrections and adaptations integrated into it like Unix does. With Mac OS X, Apple adopted Unix and inherited 30 years of tried, tested, and true security. Are there viruses and worms on Unix? Of course, but they are fewer in number and usually, once discovered, corrected much faster than anything coming out of Microsoft.



When a security flaw was found in Samba, it was maybe a week before Apple had released a fix through software update. By choosing Unix, Apple has gained the advantage of thousands of programmers around the world who all take security to heart. Security is a core goal of every Unix project. Yet on Windows, it almost seems that security is an afterthought. Other things are more important to Microsoft than the security of its customers and their systems. It's really a sad state of affairs when a company that doesn't take its own security to heart lands a contract with the US Department of Homeland Security.



So, next time someone says that there are obviously not viruses on Macs because hardly anyone uses them, put them in their place. Tell them the real truth: that security is at the foreground of Unix and thus Mac OS X. Tell them security's not an afterthought, but one of the main factors that is driving the platform. Then tell them to patch their system so I stop getting all of this weird traffic coming to my computer and these annoying emails ;)



What are your thoughts on security? Do you like where Apple is going with it?


20 Comments

revdiablo
2003-08-28 14:21:00
yes!
I am glad to hear somebody else express this. I have been saying it for years. Incidentally, I usually blow the trumpet for Linux and other free (libre) unix-like operating systems, but it's just as valid an argument when talking about the unix portion of OS X.


A nice example I like to use is that of Apache. If popularity was really the leading indicator of how many viruses, worms, and various other exploits are launched against a product, then Apache would, by far, have the highest count among web servers (consider the Aug 2003 Netcraft web survey shows Apache running 63% of the web). The fact that IIS has more successful worms -- in fact I have trouble thinking of *any* successful Apache worms -- shows the "more users == more exposure == more exploits" line of reasoning to be fatally flawed.

wegrosso
2003-08-28 17:29:14
Don't be silly
Oh, come on. We're all a little pissed off at the security-exploit of the week, but this article is nothing but smoke and misinformation.


Herewith a critique.


"The Windows security model, which, contrary to popular belief, does exist, isn't as well thought out as that present in a Unix operating system."


Really? What is the Windows security model and why do you think it isn't well thought out? Can you refer me to a design specification and a critique of it? Or are you just blowing smoke?


"On top of that, it doesn't have 30 years of corrections and adaptations integrated into it like Unix does. With Mac OS X, Apple adopted Unix and inherited 30 years of tried, tested, and true security."


This mistakenly conflates each of those 30 years. It's fairly clear that years 1970 to 1985 (e.g.before the era of the mass-market PC) were less valuable from a security-testing point of view than, say, 1995 was.


Similarly, there are hundreds of millions of Windows boxes; and Windows is *the* tempting target. So there's vastly more effort spent on hacking Windows.


It's also fairly clear that the unix code base has forked literally hundreds of times, and that most of the current unixes are less than 30 years old in most of their essential parts.


"Are there viruses and worms on Unix? Of course, but they are fewer in number and usually, once discovered, corrected much faster than anything coming out of Microsoft."


Fewer? Corrected faster? Really? Open to question at the very least.


http://linux.oreillynet.com/pub/a/linux/2003/08/27/insecurities.html


http://www.newsfactor.com/perl/story/19996.html


"By choosing Unix, Apple has gained the advantage of thousands of programmers around the world who all take security to heart. Security is a core goal of every Unix project. Yet on Windows, it almost seems that security is an afterthought. Other things are more important to Microsoft than the security of its customers and their systems. It's really a sad state of affairs when a company that doesn't take its own security to heart lands a contract with the US Department of Homeland Security."


Vast overstatement! Security is not a core goal of every unix project. It isn't even a core goal of most unix projects. There are hundreds of thousands of Unix programs out there, and most of them were NOT written with security in mind.


Ditto for Windows. Security is an afterthough with almost all software products. That's the way the world is-- people won't buy the software if it ain't got features. So those come first, and security is an afterthought. C'est la vie.


"So, next time someone says that there are obviously not viruses on Macs because hardly anyone uses them, put them in their place. Tell them the real truth: that security is at the foreground of Unix and thus Mac OS X. Tell them security's not an afterthought, but one of the main factors that is driving the platform."


Really? I thought it was the "lickable" icons.

anonymous2
2003-08-28 18:30:16
Re: Don't be silly is an ignorant dolt
Go over to www.infowarrior.org and get an education. The site is written by Richard Forno, who was most recently the chief information security officer of Network Solutions. If, after reading his two most recent articles you think WinXP is more secure than MacOS X, then you're a moron.
anonymous2
2003-08-28 20:30:03
Don't be silly
"Really? What is the windows security model and why do you think it isn't well thought out? Can you refer me to a design specification and a critique of it? "


One doesn't need to look at a design specifcation when real world performance demonstrates the security problems with Windows so well!!


Use some common sense.

wegrosso
2003-08-28 22:43:28
Don't be silly
"One doesn't...."


Yes, one does. There are two claims here. (1) that Windows is cracked more often and more seriously than other operating systems and (2) that this is a result of a security model that wasn't well thought out.


(1) is questionable (see the links) to start with.
But even if it were true, there are explanations other than (2). For example "The reason Windows gets hammered on security more is because it's such a big target."


If you want to argue for (2), I'm going to ask you to show some evidence. At the very least, I'm going to ask you where you learned about the Windows security model and why you think it's so flawed.



anonymous2
2003-08-29 05:39:45
Don't be silly
You're mixing servers and end user operating systems. But hey, either/or are way less secure on the Windows side. Why that is the case is always going to be subject to debate regardless of the facts.
Apache is by far wider in adoption than IIS and indeed has way fewer vulnerabilities (none I have ever heard of) - so there's your server side.
Running Mac OS, I have never had a virus. Conversely, I have never met a PC owner who hasn't gotten a virus or worm or who hasn't patched their system continuously (thus preventing them from getting the virus when it arrived in their inbox). Not to mention the hoax e-mails telling users to delete system files.
senjaz
2003-08-30 02:59:42
yes!
Whilst that would normally be true IIS is installed on client PCs for personal web sharing just like Apache is on Mac. So world wide I would expect that there are many more IIS installations than Apache if you include non-commercial hosting. It's these machines with broadband connections which provide the juicy target because unlike hosting companies these everyday users don't think so much about security.


So the "more users == more exposure == more exploits" line of reasoning may not be fatally flawed.

anonymous2
2003-08-30 08:35:34
Don't be silly
Here's one very simply aspect of the way Windows security works that is flawed and has far-reaching effects:


The way it handles user permissions.


Many windows users run windows as "administrator" or an account that has administrator level access. These accounts allow the user (or any applications running at the time) to modify any file not in use at any given time (running files can be modified as well by setting them to be modified/replaced at boot time). All of this can be done without asking for an additional password beyond initial login.


To modify system files on OS X or install software one must be either running as root (which is, by the way disabled by default and not easily re-enabled unless you've got some unix & netinfo knowhow) or one must enter one's password AGAIN for each one of these system modifying tasks. This not only gives the user pause but it also runs all system modifying tasks by the user. Certainly there will be users foolish enough to infect themselves through this path but it stop all of the automatic infections wherein the user isn't even asked.


To compound this many of the security fixes released for OS X, including the one mentioned (samba) are for services that are disabled out of the box. Another was for OpenSSL, which is used by openssh and apache (if ssl is enabled for apache) tasks and daemons (and configurations of daemons) that most "average" users won't be using. There may be some other GUI applications that folks might be using that would be affected (browsers perhaps, I don't know if any mac browsers use openssl) but even in this case if a worm were to make its way in it would be a user process infected and a password would still be necessary to infect on a system-wide basis. Another was only a local exploit (the screen saver vulnerability). And there aren't many more patches than this that have been released for OS X. Checking Software update I have 3, yes, that's right 3 security updates, one from june, one from july, and one from august and a combined updater from some time ago. While there are certainly some security updates are rolled into these combined updates I don't really ever recall having more than having one of these each month. Can you say the same for your windows box?

anonymous2
2003-08-30 12:47:25
Right from the horse's mouth... er, uh, Chin.
James Allchin (sp?) himself testified to Congress that it would be a security catastrophy if they were forced to let their source code be read (by the Gov? I don't remember the details) because there are so many security holes. This is a VP at M$! And he testified to the U.S. Congress (essentially) that Windows security sucks. Can anyone with half a brain question this fact after such testimony, and after the recent demonstrations of such suckiness?


C'mon. Get real.


(I used to have the article on the office fridge. I think it was in InfoWorld or eweek, or a similar mag. I'm sure you can find it if you look.)

anonymous2
2003-08-30 12:50:54
oh yeah, I forgot to mention
Mac was much more secure previous to OS X. So the UNIX underpinnings in this case are more of a liability. But with open source come many advantages, which largely off-set the vulnerabilities of UNIX.
anonymous2
2003-08-31 05:00:58
Capitalizing on indeterminacy
The issue of comparative security seems to be one of those topics that requires experts. For a layperson, it's like politics: all information is second hand and provided by partisan parties. Faced with this kind of dilema, it makes sense to ask not which is designed more securely, but which is practically more secure.


In other words, the argument that Windows is more vulnerable only because it is more popular is irrelevant even if it is true. In practice, Windows is obviously far more vulnerable than anything else. The question of whether Windows is designed less securely only becomes relevant when trying to assess responsibility. Give up Windows (and a number of other popular Windows products) and you give up 99% of your security concerns.


In any case, the issue of responsibility is what is most discussed, certainly outside the arena of experts. As I suggested before, this is mostly a matter of politics and media discussion. A humourous example: on the subway I caught the headline on the front page the business newspaper the man across from me was reading. The headline essentially said, Microsoft says it will be 2 years before it can end viruses. I'm no expert, but somehow I would imagine a more appropriate time frame to be 20 years - or never.


Brilliant PR though, and that's what counts.

anonymous2
2003-08-31 22:44:32
Don't be silly
you want to see how bad windows security model is? take away administrator access on your windows 2000 or windows xp home user account and let me know how far you get.


do the same with mac os x. i think you'll find you can do MUCH MUCH more without needing administrator privileges.


that, is the "proof" you wanted, that the security model of windows is so is flawed -- you need administrator access just to get by with basic applications on a dailey basis.

anonymous2
2003-09-01 00:45:05
typical...
Typical Mac evangalist posting.
Microsoft didn't wait for weeks for the RPC hole to be fixed, they had the patch out in days.


Problem is that many users don't bother to install patches until the need for them is shoved down their throats. That's nothing that's limited to Windows users either (though the percentage among them is possibly larger because there are more computer illiterates among them as the effort to get working with a Windows based computer is far less).


As to Windows being inherently less secure than *nix/MacOSX, I doubt it.
While Windows was designed for non-networked computers (and therefore network security was not considered until relatively late in life), *nix was designed for closed and trusted networks where noone would bother to break into your machine because everyone was friendly.
Both systems have their flaws, neither is perfect. One advantage of Windows is that it's far harder for people to go actively looking for those flaws in order to exploit them because the source isn't available (anyone with a text editor can get to the source code of just about any *nix program and scrounge it for security holes, then write something to exploit those).
That's the other side of open source, not only the good guys get the source, the bad guys get it too. And there are a lot of bad guys out there (more than good guys, if you count the masses who just use the software and don't work on it as neutral).

anonymous2
2003-09-01 03:09:40
typical...
Two things: admins in a corporate environment don't often install those patches, because it more often than not breaks third party software.


Open source is considered by most security experts better as far as security goes. Bugs are catched more quickly, either because of a contributor stumbled on a bug, or because the openbsd team found one during a security review.
I also have no idea why you think the bad guys don't have access to the source of windows. A Russian group of hackers had access to microsoft servers for months, and were able to download the source of windows 2000.

anonymous2
2003-09-01 03:14:31
oh yeah, I forgot to mention
You call an operating system with no concept of file access control and decent support for multiple users, a secure OS? It barely had any memory protection!
anonymous2
2003-09-01 03:17:35
Right from the horse's mouth... er, uh, Chin.
http://news.zdnet.co.uk/internet/security/0,39020375,2082221,00.htm


Oh dear :-)

anonymous2
2003-09-02 08:06:40
It's all about the x bit
On windows you can execute anything. Put a file there named .exe and it'll run.


On unix, you have to also figure out how to set the +x bit on the file. You have to either work a chmod or get a shell to do it. On windows, if you can write and exec you're good to go.

wegrosso
2003-09-02 10:03:03
Re: Don't be silly is an ignorant dolt
Did I say Windows XP was more secure than MacOS X?
No. What I said was that the "arguments" proferred in the article weren't particularly valid. From the claim that Unix has been battle-tested for 30 consecutive years to the claim that every unix application has security in its crosshairs to the claim that ...


If you want to debate the security of operating systems, it's good to present facts and arguments. Since this is the web, hyperlinks to reference documents are often good things too.

Otherwise, you're just preaching to the choir.

anonymous2
2003-09-02 11:45:45
oh yeah, I forgot to mention
Its silly for you to even suggest that the classic MacOS was less secure than the classic Windows versions.


Where are the thousands of classic Mac OS viruses then?


In fact Apple was so confident of the Mac OS's security that they challenged hackers and the like to break into Apple's own MacOS based servers. If they did, they would win a free PowerBook 3400c ($6000 -ish base price).


Nobody won the contest.


I had to buy my 3400c :(

anonymous2
2003-09-03 08:50:05
oh yeah, I forgot to mention
it's completely idiotic for you to suggest to say that classic macos is more secure than macosx.