Is a Mac really more secure?

[rollcage]

Just one thing about your post bofors, I thought one of the major security points in OSX was that you can't log on as root, that those privileges are kept from the user (even admin). This is to keep any possible badware from being able to modify critical system files. I don't know if you could gain those privileges using the terminal (I would guess, it's Unix), but that would be going out of your way, and it would be password protected with the above measures. Please correct me if I'm wrong, I might be writing a load of bull here

 

ok. after i finished typing this i went and tried to look for an answer. and this is what I came up with: http://developer.apple.com/internet/securi...urityintro.html

 

I think that I was very close to being right, and I'll keep looking for more answers.

 

edit: ok, even admins are kept from root access until you do the whole GUI based sudu command (username and password to confirm action).

Edited December 30, 2006 by rollcage

[bofors]

I thought one of the major security points in OSX was that you can't log on as root...

 

No, it is possible to log on as "root" in OS X: http://www.osxfaq.com/tutorials/Root_User_Creation/index.ws

[rollcage]

So there is a way around it. Well I wouldn't recommend anyone actually doing that, you'll be almost as exposed as a Windows user.

[bofors]

I might be writing a load of bull here

 

You mean like this:

 

Despite what some uninformed, mislead and probably low IQ people might say, the design of software, especially operating systems (because they are rather simple programs), has absolutely nothing do with their performance, stability or security. It all has to do with "market share".

[Alessandro17]

No, it is possible to log on as "root" in OS X: http://www.osxfaq.com/tutorials/Root_User_Creation/index.ws

 

That tutorial is terribly complicated.

That is all I do:

Open a terminal.

Type: sudo passwd (or: sudo passwd root, if you prefer)

You'll be asked for your own password and then you can change (create) the root password.

Log out.

Now click on "Other", type "root" and the chosen password. Done!

[consolation]

Remember a year or so ago there was a company offering $50000 for anyone who wrote a working osX virus, no one claimed the prize before the lawyers pointed out that it was a really stupid idea for a publicity stunt.

 

The whole os X is not targeted because of market share is the biggest lot of bull {censored}. Macs are running unprotected, if you had a viable exploit you could gain control of 2~3% of the worlds computers. AFAIK no virus in history gained control of that many computers.

 

bwhsh8r if you think you can write a mac os X virus do so, and I'll buy you a new mac. And I mean a virus; not a worm or trojan that requires half a dozen user authentications to work or only affects files in one folder.

Edited December 30, 2006 by consolation

[McSkywalker]

Thus came the first Mac virus.

[rollcage]

You mean like this:

Despite what some uninformed, mislead and probably low IQ people might say, the design of software, especially operating systems (because they are rather simple programs), has absolutely nothing do with their performance, stability or security. It all has to do with "market share".

 

That had me laughing my ass off for about five minutes, great respsonse.

 

Macs are running unprotected, if you had a viable exploit you could gain control of 2~3% of the worlds computers.

 

Then security companies such as McAfee and Symnatec would probably love to start seeing some viruses pop up for the Mac. If they haven't already, think they would start trying to write their own, so that when people start getting infected people buy their product and they get the ? That's just what I would do.

[bwhsh8r]

Ok, so you agree that "market share" is not the whole story with OS X security and that Windows has some serious design flaws, like the "registry", that will continue to exist in Vista.

I don't think OS X will erase the booted system partition without asking for the "superuser" password. We know it uses normal Unix file system with permissions and such, so there is quite a bit of security that way.

 

 

yea, its not the only part, but it is also logical that it would play some part in it.

 

and consolation, ill give it a go, but i doubt anything will come of it... ill try it after i attempt to ddos this certain website (no not this one) and my one idea was based around getting the user to inadvertantly enter the superuser password? (goes to research bsd viri)

 

and " Despite what some uninformed, mislead and probably low IQ people might say, the design of software, especially operating systems (because they are rather simple programs), has absolutely nothing do with their performance, stability or security. It all has to do with "market share". " lmao, who said that (that the performance and {censored} was based on marketshare?)

[rollcage]

who said that (that the performance and {censored} was based on marketshare?)

 

that was bofors joking around in this thread: http://forum.insanelymac.com/index.php?sho...;hl=performance

[solaar]

I reckon the simple fact that M$ still manufactures and releases systems that so utterly require a patchwork of third-party armouring (and then at the price Windows is actually being sold) is already a perversion in itself. It always seems to me as if M$ is proud of all this firewalling, anti-hacking, 'security' suggesting, easy-go-lucky attitude.

 

Picking up the 'dangerous neighbourhood' metaphor somebody has made here, I would make a real-life comparison that's a bit ... different.

 

There's one country which is based upon ideas of social darwinism, ie. everybody is more or less unguided , unsupported and uncontrolled (so-called "free") in matters of making a career and at the same time freely tolerating the proliferation of all sorts of 'social viruses', the outcasts that got stuck along the darwinistic path, hence potential threats to society. At the same time, everybody is 'free' (and sometimes even encouraged) to arm themselves to the teeth and a fairly repressive police and justice system with plenty of prisons is put in place.

 

Then there's another country where things are a bit more moderated, regulated, more tight-knit in its social structure and based on common rather than individual interests to keep the number of elements slipping through the social cracks (and thus becoming potential viruses) to a strict minimum.

 

Needless to mention who is who I suppose...

[bofors]

That tutorial is terribly complicated.

That is all I do:

Open a terminal.

Type: sudo passwd (or: sudo passwd root, if you prefer)

You'll be asked for your own password and then you can change (create) the root password.

Log out.

Now click on "Other", type "root" and the chosen password. Done!

 

That's not exactly the same as logging in as root, I think you are merely executing terminal commands as root. I mean, you would have to launch a program from the terminal to give it root privileges this way, when logged in as root that is automatically granted to any program running (such as trojan that somehow gets executed from a download).

 

Otherwise, if you can accomplish the thing by just using "sudo" before each command. This is what I do now, there is really no need to enable root this way (and not doing it may actually be a little more secure).

 

 

EDIT: I missed these bottom two lines Alessandro's instructions and had thought he was just talking about enabling the root account (so one can execute "su" in the terminal). His instructions actually do log one in as root.

 

Log out.

Now click on "Other", type "root" and the chosen password. Done!

[bofors]

I reckon the simple fact that M$ still manufactures and releases systems that so utterly require a patchwork of third-party armouring ...

 

What really cracks me up about Windows "security", is that Microsoft is actually being threatened with anti-trust litigation for talking about including anti-virus software with Vista and otherwise trying to protect it by limiting access to the kernel.

 

Yes, let's make it illegal for Microsoft to fix a clearly defective product, it just isn't fair to others (nevermind the users).

[solaar]

Yes, let's make it illegal for Microsoft to fix a clearly defective product, it just isn't fair to others (nevermind the users).

That's a good one

[bwhsh8r]

What really cracks me up about the whole Windows "security" industry, is that Microsoft is actually being threatened with anti-trust litigation talking about including anti-virus software with Vista and otherwise trying to protect it by limiting access to the kernel.

 

Yes, let's make it illegal for Microsoft to fix a clearly defective product, it just isn't fair to others (nevermind the users).

 

lmao, steve would cum his pants if that happens

[Alessandro17]

That's not exactly the same as logging in as root, I think you are merely executing terminal commands as root. I mean, you would have to launch a program from the terminal to give it root privileges this way, when logged in as root that is automatically granted to any program running (such as trojan that somehow gets executed from a download).

 

Otherwise, if you can accomplish the thing by just using "sudo" before each command. This is what I do now, there is really no need to enable root this way (and not doing it may actually be a little more secure).

 

You *can* actually login as root following my method. I am logged in now. If I open System Preferences, Accounts, it tells me that I am logged in as "System Administrator", Short Name: "root".

I do agree with you, however, that there is no need to login as root in OS X, because with an admin account you have all the privileges you might need, and it is more secure.

[bofors]

You *can* actually login as root following my method. I am logged in now.

 

Ok, I did not fully read your post. I just saw the part where you enabled root in the terminal and thought that was all you were talking about. I did not see you re-log in as root. Sorry.

[sixth]

Interesting read. Sounds like some of his frustration is the overall design of the windows administrative systems. I don't think that anyone would argue that, given enough training and experience, a UNIX/POSIX/etc system admin will have more control over the nuts and bolts of the operation of the system versus a similarly trained Windows admin. Does that make it "more secure?"

 

Not particularly. According to his article the flaw in the Windows OS is the ability to "hide" things (in the registry, NTFS streams, using the SYSTEM user account). We know from experience, however, where to look for these things when we have a problem as a Windows Admin. Coming to Mac OSX server, I'd be similarly baffled at where a malicious person might "hide" things, even though I could see their processes running in launchd. How was it started, where did it come from, how did it get on the system could all be daunting challenges to someone who is not familiar with the OS

 

These are what we call the tricks of the trade if you will for Windows admins. Here's an example of what I do with a new server install (like the recent Server2003/Exchange2003 dbstore I installed). I keep an image of my server installs. I image after OS installation, then again after software installation and configuration. I generally do not maintain an image beyond this point, unless significant changes to the system are made (new software added, major patches that require some kind of reconfiguration are released, new hardware is added). I maintain backups of the data directories for the software that is in use on the servers. If disaster strikes, rebuilding from this image should be a simple matter of running windows updates, any other minor software patches, and then import the data from the backup. The reason for this is to address his concern of hidden malware. If I have a clean image just after software configuration, I don't want to replace that image with anything that may have been corrupted down the line by some hidden file or process and it is tough to say what caused a server to go down when you walk in and it's "just dead". With a properly patched system, and with proper firewall protections in place, it is the simplest way (least time consuming from an administrative standpoint, slightly more time consuming from a recovery standpoint).

 

Also with this post-install image, I'm able to look at the number of processes that the computer and all its attendant software will be using. I can see (and document) the active processes which can help to identify any rogue processes at any point in the future. I have some software that I use which will record this information for me and I can quickly compare the process tree from previous time points to the current process tree looking for differences. This is why I call it the tricks of the trade because nobody told me when I started that I need to know exactly which processes were running on the server directly after install and configuration, but we learn through experience that this is valuable information in time of crisis. You also collect that wealth of IT resources for your field where you can go to find information about these processes - what does this process do and what software package does it belong to? Still more tricks of the trade.

 

I'm in the process of getting myself some type of OSX server to begin this type of learning process for OSX. Why? Because I'm sure there are little tidbits like this that are equally important to the OSX administrator that could be written in an `expose` driven by frustration when one of us Windows Admins has a catastrophic event occur on his OSX server. I'm interested in testing the Active Directory compatibility of OSX Server, and I'm very intrigued by the "teams" concept they've announced for Leopard server (could it be the sharepoint/exchange/SBS killer that I've been dreaming of?).

 

At this moment in time, there's not a doubt in my mind that OSX is more secure. But I wouldn't go bashing on Windows because the sheer scale of the project they've undertaken is mind boggling and OSX (to this point) does not have the same scope of concerns. What do I mean? Windows has an ungodly number of legacy, 3rd party, and customized bits of hardware, middleware, firmware, and software that they are trying to keep compatible for as long as possible. Combine that with the number of platforms on which the OS runs and tries to maintain some level of inter-operability (Windows Mobile, TabletPC, EmbeddedOS, Itanium, and our 'lowly' x86's which come in their cornucopia of variants including the VIA series which are supported, not to mention the others I've forgotten about or are so obscure I don't know about). Balance that task with the huge base of already installed users in probably every country of the world and their varying requirements (you can't deliver security update CDs to the south pole via FedEx can you?).

 

Now, try to keep all of that in-line with the millions of developers on the platform who, in the course of their daily work, could be creating all manner of exploits to your system unwittingly or possibly even on purpose. Even if they're not creating the exploit, just the sheer number of developers will necessarily lead to uncovering almost every corner of the OS and thereby lead to uncovering even the most minuscule and unconventional methods for compromising a system which leaves the huge installed base vulnerable until you are 1. Notified of the problem 2. Able to verify, test, and determine the extent of the breach 3. Create some method of fixing the problem (if it can be done) 4. Notify the public of the problem 5. Distribute the fix

 

This is why I say that OSX has a security advantage "at this time." Apple has a reduced set of problems to deal with in comparison to Microsoft. First of all a major advantage is the authorized hardware. Sure Apple wants to support as many peripherals and gadgets as possible, but they offer a core set of hardware which they authorize. Keeping legacy support for hardware just got millions of times easier for Apple than their competitors. They don't have to guarantee you that your 3rd party automated toaster will work with their new OS. They might try to make it work for you, and the vendor might be in a real bind to get it working but for Apple the core set of hardware and software their customers "must have" is much smaller. Security wise, this is just easier because most often exploits use some legacy connector or compatibility mode for older software to compromise the system. Smaller number of legacy devices, smaller set of security issues.

 

The installed base is smaller. This is a "good thing" in terms of security. We all know the "lure" to hack the OS is lower because it is smaller, but unintentional discoveries of exploits are reduced. Many will argue that discovering the vulnerabilities leads to fixing them, but in reality vulnerabilities are generally dealt with in terms of which ones have the highest potential for damage, and the ones that are already being used to inflict damage. Leaving the vulnerability alone does not solve the problem, but it does create more work for the hacker who must first find the vulnerability, then create the tools to exploit that vulnerability. Furthermore, the potential for someone's application to unintentionally create a security breach is lowered because of the smaller user base, and the tighter integration of hardware.

 

Man I've been making a lot of long posts lately. I have a feeling I'm going on 'ignore' from some forum goers soon. As always, the above diatribe is my own opinion, it does not represent the views and opinions of other people (particularly those who are 'knowledgeable' or 'sane').

 

I am a network administrator myself. I have to say...this is a great post you made. I agree with it all, I do alot of the same things you do with new servers and PC's for my network. I myself have been trying to get my IT manager to get some OS X server machines to start messing around with other options, stil a way off I suppose, but your post does hit home. All very true!

[JustInSane]

The only way an OS can be 100% secure is if you never put it online or even use it for that matter. If you used it you might install something with a virus in it or have some stupid script failure or something like that. Abstinence my friends.

Or simply install an operating system that's not under attack, like OS X or linux It's almost the same as being offline. Mac users are in the unique position of getting all the benefits of being online, with nearly the security of being offline. You just cannot beat that.

[wow]

But mac servers are know to be very slow sometimes 4 times slower. On one forum they finally downgraded to a pc and windows becuase the forum was so terrible slow for 6 months, no expert could tune it better. People complained about the slowness all the time. In the end they got a pc/windows and the problem was solved. The server software is just so much better then pc software. Not my worht i have seen in it in other tests in magazines too. OSX is good but not use xserver.

[Panda200x]

It is more secure but doesn't mean its not vunerable. Mac's do have kernel exploits you know.

[BreakTheChains]

Lets just keep it simple......

 

 

Mac OS X kicks ass bottom line!!

 

But seriously, like everyone else has said, Mac has it's flaws and Apple does a whole lot to stop any potential threats. Microsoft does the same but they just suck at it. Either that they want people to buy new installation CDs after you lose the first one because it says microsoft on it which tells you that you need to throw it out.

[A Nonny Moose]

For logging in as root, you can do that in the utilities folder. Anyone can really do it.

 

BUT...root access is turned off by default, as opposed to having that kind of access enabled in Misrocoft Curtains. OS X ships with all its ports turned off, as opposed to Curtains.

 

Now there are some advantages to Curtains also, but without third party extensions, they tend to be few.

[aberracus]

66% percent of the web servers run linux, we can say 66% of the internet is in linux hands.. so linux is a dominant OS... WTF? where are the super numerous linux hacks?

 

OSX is a superb system, it isn't hack proof, but i think: If a hack or malaware or virus in OSx will go to the first pages of any newspaper, instead a hack, malaware or virus on xp will just be emailed by the antivirus brand names... Why not hack it ??? if what most of the virus makers and hackers just want glory...

 

Now with Vista coming out, Vista is the target of everybody, and it gona be shoot from the sky like a duck in hunting season. After a copious hacks and malaware plagues Vista (probably caused by the stupid Vista "not authentications system" wich ask the user for an ok in everything it does so the users will start to click ok in just everything without reading -just ok, its not a password, its just ok-), As i said, after seeing vista fall from the security pedestal MS has put it into (so they can sell it). The Newspapers will be open again for an assault on Mac OSX, as allways has been.

 

And, do you think the very nice and goodwilling Bill Gates is just siting there waiting for some hacker to crack open osx? Is that his style? Or does he have a black team working 7 days a week trying to do it in their labs?

 

just my two cents.

 

 

BTW

 

VERY NICE THREAD FULL OF INTERESTING POSTS AND LINKS

 

Way to go!

 

PD. Anyone can imagine Bills face when he saw Yesterday Steves Keynote?

..."i want that!!!!"... From Pirates of the Silicon Valley movie (its a must see)

[Blackice]

And, do you think the very nice and goodwilling Bill Gates is just siting there waiting for some hacker to crack open osx? Is that his style? Or does he have a black team working 7 days a week trying to do it in their labs?

Just remember that it's thanks to Bill that Apple still exist.

 

After a copious hacks and malaware plagues Vista (probably caused by the stupid Vista "not authentications system" wich ask the user for an ok in everything it does so the users will start to click ok in just everything without reading -just ok, its not a password, its just ok-), As i said, after seeing vista fall from the security pedestal MS has put it into

 

As much as I like OSX, you cannot deny that Vista is the most secure version of Windows yet. It has lots of very clever security systems. Whether or not it will be enough is something for time to tell, but it certainly is a major step in the right direction.

 

And that dialog you are talking about is UAC. It does prompt you for a password if you are not an administrator (which is the recommended setting). The account you make at setup is an administrator account (just like OSX), so try it with a standard account.

 

and it gona be shoot from the sky like a duck in hunting season

 

Well, it's been available since November (in fact, long before that, but RTM was in November). It's now January and no real exploits have been found. I'd say that's pretty good going, considering how many people are trying to find holes in Vista.