Macintosh's are NOT inherently secure

Discussion in 'Backup and Security' started by dcvtss, Jun 4, 2009.

  1. dcvtss

    dcvtss

    I'm trying to dispel the myth out there that many misguided computer users have that if they switch to a Macintosh suddenly their security worries are over. In my opinion Apple's marketing and some Mac users' cult like devotion to the company are responsible for most of the propaganda. I am not against Mac's I think they are fine machines if a bit overpriced but for some reason the smugness of some of their users who buy it as some sort of BS lifestyle statement running their mouths about shit they really don't understand bothers me more than it should.

    http://support.apple.com/kb/HT3549
     
  2. The only reason Macs are more secure from malware is because malware producers focus on the biggest market.

    They simply don't care about Macs (or Linux PCs for that matter) because there aren't enough to be worth the bother.

    More secure? Yes, but not for the reasons the marketing literature states.
     
  3. Whatever system you are running, you need to be aware of security issues.

    Having said that, all operating systems are not equal.

    Microsoft historically had a shockingly poor attitude to security. Something like executing email attachments has never been allowed on *nix systems for example. Microsoft never encouraged a "respect the root" mindset. How many Windows boxes are run permanently as "Administrator" ? How many unpatched pirated copies of Windows are running out there in the wild ? Microsoft does nothing about this, even though it potentially compromises the integrity of the internet. All of this stuff and more has fostered the growth of the criminal malware cottage industry.

    Here's another factor to consider. On Linux machines, nearly all the software - applications and operating system - are installed and maintained from a single source. And that source is the repository of the Linux distribution. This means fixes, upgrades and security patches for just about every bit of software on the box can be applied in a timely fashion. It is extremely easy to make sure all security patches are up to date for everything with a few mouse clicks - and system reboot is hardly ever required. If you make things this easy, then users will do them. There is no equivalent for Windows.

    A bit of hand waving about more Windows desktops is all too easy, but meaningless and has nothing to do with taking security seriously.

    A question to the first poster and the link posted. Did you actually look at the contents of the page ? Many of the security notifications are for things like PHP, Apache, OpenSSL and such like ie software products that run on all of Apple, Linux, BSD, Solaris, Windows etc etc.
     
  4. do you realize that what you are trying to do is no different than an atheist shouting there is no god? those who believe will not be swayed by mere facts.
     
  5. timbo

    timbo

    Trouble selling your trading plan?
     
  6. dcvtss

    dcvtss

    I read the page, there are plenty of flaws for the core system, depending I guess on your definition of the core system for *nix systems - just kernel or networking utils, X11 etc. I figured someone would bring up the third party stuff being in there, point is 3rd party is a common attack vector and Apache and BIND (which I would argue are associated much more with *nix, and by extension OS X than with Windows) in particular have had a horrible record of security flaws over the years which thanks to the design of unix only allowing root to bind to the lower ports lead to complete compromise of the system. Granted there are plenty of well known mitigation techniques but I would hazard to guess that they are well over the heads of the average Apple store shopper or the supposed "geniuses" that work there.

    I agree that Microsoft takes a way too lackadaisical approach to security, though I would say they have improved over the years. *nix can be secure but as with everything else with unix it assumes you know what the hell you are doing and are a configuration expert which is a very big assumption, again this is tempered by some of the newer linux package management developments. Also with the *nix systems if you do get hit you are usually totally jacked and have to reinstall the OS. But even if you do get the patches installed quickly who knows how long the exploit has been out there and how many systems got hit before they got the patch out.

    Bottom line is Apple does its users a disservice by promoting this "just buy a Mac everything works and nothing ever goes wrong" attitude but I can't blame them it sure seems to work from a marketing perspective.
     
  7. WTF do Apache vulnerabilities have to do with the typical Apple user, who will NEVER run Apache?

    The primary branches of the Unix family tree - Linux, BSD, and MacOS - are not "secure". They are, however, much more secure than the alternatives. The "too small market share to attract attention" argument is moronic - most of the internet traffic is routed through Linux boxes - there is no juicier target out there and hasn't been for nearly a decade now.

    The fact the internet works at all is a minor miracle and speaks volumes about the relative security of the underlying systems.

    You do yourself a disservice by assuming Apple users are too stupid to take marketing speak for what it is.

    Sheesh.
     
  8. maxpi

    maxpi

    *nix is inherently better securable by design. The protection comes in the form of what areas of the machine software is allowed to go. With Windows it's implemented with permissions and it's just a lot more vulnerable.

    Microsoft sucks in their efforts towards security though. They might assume that Windows is really a business platform and the corporations can secure with firewalls but that leaves the average user in a real jam. Only with Vista did they finally require a password from the administrator account to install something. That says a lot about how little they cared about security..
     
  9. dcvtss

    dcvtss

    Don't get your panties in a bunch honey, there are a lot more vulnerabilities on there than Apache.

    *

    CoreGraphics

    CVE-ID: CVE-2009-0145

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6

    Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues exist in CoreGraphics' handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds and error checking.


    I guess Mac users never open PDF files either?

    Most internet traffic is not "routed" through linux boxes either, maybe what you meant is most servers are linux? I agree with you there about them being a bigger target but the term is relative as they are in general harder targets and the hackers overwhelmingly go for the low hanging fruit of unpatched, non-firewalled individual user machines of which the majority are windows boxes.

    I stand by my statements, the majority that I have encountered parrot the marketing-speak relentlessly.
     
  10. jprad

    jprad

    Just because you can point a Linux box to a single point on the 'Net for updates does not mean that they're all maintained from a single source.

    Every Linux distribution is a conglomerate of separate pieces all coming in from different directions at different speeds and maintained by entirely different groups of people.

    If you think otherwise then you'd do well to check the homepage for a given application and find out just how in-sync the distribution is with the latest.

    Some of the largest and most popular distributions are the worst offenders with SuSE and RedHat at the top of the list for the customized versions of the kernel that they distribute.

    Fact is, a lot of work goes into building a distribution, a lot of which is devoted to differentiating themselves from one another.

    As a result there's a lot of lag between versions on a given homepage and what's in the distribution.

    It's gotten to the point that some teams, OpenLDAP for example, tell you right up front that you better not come knocking with a problem unless you've been able to duplicate it with a build of the latest, unadulterated source tarball first.

    That said, none of the popular Linux distributions suck anywhere's nearly as bad at security as Windows does. No amount of hacking can fix a hopelessly broken design that lacks privilege separation.

    However, the OP does protest just a tad too much. Having to patch a vulnerability is one thing, having to deal with a working exploit is something else entirely.
     
    #10     Jun 5, 2009