Thread: Another Apple myth goes down in flames
View Single Post
Old 04-06-2012, 07:07 AM  
potter
Confirmed User
 
Industry Role:
Join Date: Dec 2004
Location: Denver
Posts: 6,559
Quote:
Originally Posted by anexsia View Post
http://www.digitaljournal.com/article/322338

"An unpatched Java vulnerability in Apple operating systems is the gateway to the infection. One of the significant problems is that no user action needs to occur for this latest version of the trojan, dubbed Flashback.K, to infect. Users can get infected by simply visiting a website on this go around, reports MacWorld."
I have to disagree with that. Wouldn't the user have to enable Java? I believe Chrome is the only browser that has it enable by default. Safari and Firefox both shut Java down by default (rightly so I might add).

Quote:
Originally Posted by raymor View Post
The idea that Mac is highly secure certainly has an element of truth, and is also somewhat based on how old Mac systems worked, a lack of functionality that made them immune to certain classes of attacks.


Mac was way more secure than Windows through the 1990s, and still is today, but in a different way, a more Linux like way.
Mac was the last of the pure disk operating systems. Through the 1970s, computers were multi-user, running network operating systems. That meant they had to be secure inside and out so that one user couldn't mess with another user's stuff. This was the age of Unix. 1981 was the dawn of the PERSONAL computer and it's Disk Operating System. To make disk operating systems run with only 256k of RAM, all of that unnecessary security stuff was removed. That was cool. No need for security on a personal, non-networked system, so DOS, Mac, and then Windows were fine.

Then the internet happened. Suddenly, personal, disk based computers with no security were being connected to a global network. Microsoft quickly began tossing network features at Windows, like remote desktop and SMB. They even took technologies that were entirely inappropriate for web use, like COM, and renamed it ActiveX, selling it as an "internet feature." On a platform with no security, but with remote access, this resulted in all hell breaking loose, desktops averaging 30 different infections apiece.

Apple didn't go nuts putting things like remote network access on top of their disk based systems. They continued to treat it as a personal computer, not a (fundamentally broken) network computer, so they didn't have the security problems that Microsoft had. Mac gained a well deserved reputation for security at that time. (MS still hasn't finished cleaning up the mess. With Windows 7 they are starting to get CLOSE to having proper security for a network OS, pretty close to what the network OSes of the 1970s had.)

In 2001-2002, Apple went full bore with a completely different OS, an actual network OS with network OS security, a Unix known as OS X. (Unix 3.0 certified.) The new Mac doesn't have the security advantage of the old Mac, which lacked exploitable features like remote access. Instead, it has Unix style security - the user, and user-run programs, can't fuck up the SYSTEM. You may recall MS testifying in court that Explorer, which was both the MS browser and the desktop shell, is so deeply embedded in the system that Windows won't boot without it. That implies that exploits encountered by the browser can run deep within the system. Mac and other POSIX systems like Linux don't suffer from that. On Mac and Linux a browser is just a browser. It can only load web pages. It's not part of the boot process, so fucking with it can't fuck up your system.
Good point. Another one of Windows main flaws from a security standpoint is it has a bad base, and in an attempt to fix the problem they have simply thrown ten pounds of shit ontop of it. What I mean is unix and linux operating systems are more secure by default, it's just how the os was designed. It is when you add user features to that base which starts to open up security flaws.

Windows however has an extremely insecure base. To fix this they've thrown a ton of rules and walls up ontop of the base to try and close up any holes in the base. This is bad in a multitude of ways. The first being, it's still easy to hack - you just have to hack through multiple walls before getting to the base. The second being is now every time a user does something a little popup appears that "this is happening, do you want to continue" - that DOES NOT protect the user, it creates a UX that trains them to ignore operating system popups. Because after the 100th popup they're no longer reading the popup but just click the accept button. A third point being it creates the issue that a user must turn off a bunch of this "protection services" just to accomplish normal tasks. The operating system has so many of these walls up that a user by default must actually turn off a bunch of them just to do things a normal user would need to do. And then lastly, the point that there are so many walls up that they become utterly useless, easy to bypass, or another wall creates a rule that voids another one. For example the other day we were having a hard time moving some work over to an IIS server. PUT requests were being rejected. Well, this is because IIS assumes you only want to use half the internet and throws up dozens of stupid walls. We ended up resolving this issue with POST Tunneling, we passed the request as POST but with the header "X-HTTP-Method-Override : PUT" - problem solved. And the windows "security rule" completely irrelevant and bypassed.
__________________
potter is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote