Sunday, November 28, 2010

Mac Security Status Report,
Part I

--
Introduction:

As a non-expert at computer security, it's a bit silly to believe I can provide any comprehensive report of current Mac security. However, I don't see anyone else bothering. Instead I see a variety of niche groups and niche skill sets involved with Mac Security but not pulling the pieces together. I also hear incessant vacuous FUD attacks from frustrated sources who wish Mac OS X was even remotely as unsafe as Windows blatantly is. It's plain old propaganda, not unlike the worthless political rhetoric in the media attempting to divide people through the promotion of fiction and fear. :-P

Therefore, I'm not going to worry about the areas in which I have lack of insight. Instead I'm going to take a stab at it and do what I do best: Examine the overall system of Mac security, provide some relevant details, then offer my summary and conclusions. Never rely on only one source of information about anything. Lord help anyone who uses Fox News as their soul political information source. Equally, lord help anyone who uses my work as their soul Mac security information source.

I) A Critical Mac Problem, Inadvertently Provided Via My Pet Troll:


The IT Ignorance Factor

Every source of difficult information has its trolls. It's difficult for Windows users to face Mac OS X security facts. Mac OS X is the #3 safest operating system available. The two better operating systems are OpenBSD and FreeBSD. It is no coincidence that Mac OS X is built upon an Open Source foundation that is based in part on pieces of both OpenBSD and FreeBSD.

This upsets my pet troll very much and makes him angry. This month he calls himself 'Tom' the troll. He is an anonymous coward reader of the blog, unwilling to let anyone know who he is or his stake in propagandizing Windows over Mac. It's all entirely dull and predictable to me. Occasionally my pet troll attempts to post FUD commentaries into my blog. I take a look at them, laugh a while, then step back and consider what pieces of his dishonest propagandist point of view could be useful to me. This time he wanted me to listen to the 'woe is we' rantings of one Roger Grimes, a Windows apologist and security analyst paid by Microsoft. You can listen to this fellow yourself at:

SecureABit.com

Scroll down to episode #67 of their podcast. Most of the dull program includes commentary from Mr. Grimes.

This fellow pulls the usual pro-Microsoft, anti-Apple myth mongering and propagandist garbage. What is unique in my experience is his defeatist attitude regarding computer security. He says essentially that we're all screwed no matter what, but OpenBSD is the best we've got for operating systems, but darn it's too difficult to use for mere mortals, so use Windows. (o_0) Oh that makes (no) sense! He then tosses out 'The Grimes Corollary' that restates the 'Security Through Obscurity' myth. Been there, killed that, yawned.

However, I was able to pull out of Mr. Grimes' rants one useful comment. It is this: Enterprise IT technologists don't adequately, or in a timely manner, patch the computers under their care. They also allow their users to use simplistic passwords that are easily cracked. This is most particularly evident on Enterprise Mac computers. The reason why is simple: Enterprise IT technologists rarely bother to learn Mac security or enforce it. Therefore, Mr. Grimes tells his tale of enjoying visiting businesses that integrate Macs because so commonly the machines are not up-to-date with security patches and are using easily guessed passwords. I would assume he uses a dictionary attack program against them, which these days are extremely fast and effective. He also keeps track of all the reported Mac vulnerabilities and uses them against unpatched machines.

So here we have Macs, the safest GUI OS based computers available, being easily cracked via very basic techniques that anyone's granny could use. This is shameful. Mr. Grimes would like to blame the users for this state of affairs. But of course it is the IT technologists and the IT managers who are entirely to blame. Never, ever, expect a business user to be any kind of technology security expert. To do so is to literally invite into your business The LUSER Factor. I've covered this issue many times in the past. It is the main reason why Mac OS X has any malware at all and is the reason that nearly all Mac OS X malware are Trojan horses.

There is more going on in the Enterprise than just problems of 'the user', or what's 'between the chair and the keyboard'. In business the computer is a tool, and the tool master is the IT expert in charge of that tool. This leads me to create another descriptive phrase that I call The IT Ignorance Factor. This problem occurs due to a multitude of factors. I'll toss out a few of them:

A) The business does not provide adequate time and resources for adequate computer maintenance. IT people often pull out their hair trying to get biznizz types to comprehend technology. But the fact remains that not keeping computers maintained means directly damaging the company. There are multitudes of tales of woe. Here is one from today concerning the shockingly computer ignorant US federal government:

US embassy cables leak sparks global diplomatic crisis

If the government's IT 'experts' had been on the ball, this could not have happened. I strongly suspect that they were kept off the ball with the help of bad management. This is when IT technologists must become educators and stop the 'boss' from being an 'ass'.

B) Laziness. Clearly most IT technologists live in the Windows world. Why bother to learn that other platform if they don't have to. You've heard this illogic before.

C) Fear. It sounds odd, but many IT technologists have trouble enough dealing with Windows hell. They're scared to get involved with another platform, making things even more complicated, or so they illogically believe.

D) Arrogance. Most Mac users have met the know-it-all geek who is a gawd of Windows and sneers at Macs. Then of course when someone defends the Mac these stick-up-their-ass bozoids accuse Mac users of going all 'religious' or counter 'arrogant', ad nauseam.... Therefore, of course such creatures are not going to bother to learn or apply proper Mac security methods.

There are of course more excuses and failings involved. Post your faves in the comments if you like.

    

Thus ends Part I. Further parts of my Mac Security Status of 2010 will include a summary of all the current active Mac malware, a summary of the consistent types of security vulnerabilities in Mac OS X, and a summary of the non-Apple security threats against Mac OS X. I'll be covering the Koobface/Boonana worm, the 'Evercookie' technique and how to combat it, as well as further coverage of the ongoing foolish attempt by the US federal government to backdoor every computer data encryption method.
--

1 comment: