Monday, March 23, 2009

Before: My current POV on Mac security

Before what? Before I read this article on Mac security:

Mac OS Xploitation
by Dino A. Dai Zovi

When (more likely than 'if') I have changed my POV after reading it, I'll post an 'After'. I find this sort of thing amusing. Consider me eccentric.

One of the places I hang out on the net is the MacEnterprise list. It is run by the Mac OS X Enterprise Deployment Project. I've cross-posted between here and there previously. Here is my post this evening to the list:

On Mar 16, 2009, at 03/16, 2:12 PM, Allan Marcus wrote:

This paper is from the author of the Mac Hacker's Handbook . It's rather scary and concludes . . .

The conclusions were fairly standard "Mac OS X is scary insecure!" stuff. Before reading the article, here was my reply:

I'm going to give it a read through as I am interested in Mac security.

But I have to give a few bits of perspective from my current POV. I know I'll get contentious arguments to the contrary, but here goes anyway:

1) This sort of article, in part, amounts to FUD (Fear, Uncertainty and Doubt). It is extremely rare to find articles with a full explorative comparison between UNIX (which is what Mac OS X actually is, legally, officially, etc), Mac OS X (meaning the other stuff Apple put on top of UNIX), Linux and Windows. Empirically, Windows is the single least secure commercially available operating system on the planet. There are plenty of people who have a stake in its success, despite this blatant problem. Therefore, it is extremely popular among them and the people who believe their con-job to FUD every other OS at every opportunity. The result is chaotic disinformation leading to stagnation, aka the status quo. I don't believe you have to take a 'political' or 'religious' stance to understand that this is the case.

2) And yet the seemingly endless barrage of FUD, initiated in August 2005 by none other than Symantec, has done nothing but *GOOD* for Mac OS X. All the FUD mongers and earnest, honest security experts out in the field have driven Apple out of their security slumber. Apple's resulting attention to Mac OS X security has increased exponentially. This is one reason I value competition in the marketplace. It keeps the competitors awake and innovative. Does this mean Apple is in high gear to make Mac OS X security impenetrable? I don't think so. But I do believe they are now serious and alert.

3) Apple's most insecure program is QuickTime. Mac OS X has its problems, but QuickTime has been Apple's security bane. If you go through the list of security fixes since December 2006, when this problem became blatantly clear over at MySpace, you'll find this assertion to be correct. Microsoft has gotten slammed for its poor multimedia code. But QuickTime has had its share of very similar problems, without getting nearly as much attention.

4) I don't care what OS you talk about. Buffer overrun problems are consistently the horror of programming to this day. I like to slam Microsoft for still using ye olde DOS memory management under the hood. But programmed memory management messes are just as prevalent everywhere else. From my limited coding education, I have to point to the now antiquated programming languages we have to use. Remember how Java was supposed to have solid memory management, among other miraculous safety features? Forget it.

5) Despite what gets thrown about in the FUD mongering chronicles, the fact remains that Microsoft have perpetrated some outrageously insecure code. Examples: JScript remains one big reason 'JavaScript' is insecure these days. ActiveX scripting is another Microsoft 'Welcome Hackers!' security hole made for the Internet. Vista is not entirely immune to either of these lousy technologies.

6) There never was such a thing as 'Security By Obscurity' for Mac. It's a total myth, and no one foisting the myth has ever presented a sane argument in their favor. Anyone can do the math. We currently have eight (8) Mac OS X Trojan horses. That is the full extent of Mac OS X malware in the wild at this moment. We have a market share that is maybe 1/10th that of Windows. So how come Windows has a massively disproportionate number of malware in the hundreds of thousands, with thousands more every year? There is something more going on here than Macs having 1/10th or less market share. That's a big 'DUH' in my estimation.

So I say, Bring On The FUD!

Despite the fact that every single piece of current Mac OS X malware requires social engineering methods to break into a Mac, that does not mean other methods are not possible. There is plenty of evidence to the contrary. There is no harm to the Mac platform whatsoever by striking fear of security breaches into hearts of its users. It just makes the platform that much stronger. Just don't go out and buy rubbish anti-malware programs from the FUD meisters. Equally, don't count on the freeware to cover your butt. For example, I've totally given up on Clam providing any relevant protection for Mac OS X. It's not happening. Instead we currently have to train users to not fall for social engineering tricks, while keeping up with security updates and watching Mac OS X relevant security news. If a time comes to use anti-malware programs for particular situations, so be it. Right now I'd turn to Sophos and Intego for the best quality solutions.

Please remember, this is just my personal limited POV. Obviously, gather in many more perspectives and make the best educated security decisions you can for your situation.

Thank you for reading my blether-fest,



No comments:

Post a Comment