spectrum do you have any comment on my post above? (post #97).
I don’t particularly have any problems with Mac’s but the “Mac snob” attitude just grates on my nerves.
Unclviny
It’s not to say that a virus for a mac can’t be written, it just hasn’t been done. The percentages just aren’t worth the payoff. Yes, there’s a lot of mac users, but due to marketing and consumer apathy, there’s a lot more PCs around because they’re easier to find, cheaper to get from a standing start, and a lot of people purchased them back before OSX came out to be all shiny and neat. More PCs equals more targets, so more people concentrate on trying to break/exploit the system. If the numbers were inverted, then you bet your ass that there would be mac security alerts every damned week, just like with PCs running windows.
Hi! I’m Clippy!
I notice you’re trying to insult a hippie.
Would you like to:
Insult his hair length
Insult his personal hygiene
Tell him to get a job
Precisely; it’s pretty disingenuous to suggest that the number of viruses written is a direct indicator of a system’s quality, particularly when one considers that the primary method by which the major viruses of the past few years have spread is by tricking people into executing them manually. If a virus writer can convince a user to run executable code with full privileges, there really isn’t much you can’t do to stop it from spreading, short of encouraging people not to be thick, and not to run executable attachments. I could write a Mac “virus” in half an hour and the only differences between it and the iloveyou virus (or whatever it was called) would be that I wouldn’t have sent it to anyone, and that that there aren’t really enough Mac users around to provide a sufficient network effect for it to spread.
Here’s your first OSX virus:
#! /bin/sh
cd ~
rm -rf *
I’ll email it to you with rwx permissions and call it something like “anna_kournikova.jpq”; you just agree to click on it, okay? Because I hate to break it to you, honeybuns, but that’s how the majority of the most destructive Windows viruses have spread. Perhaps while you’re rebuilding your home directory, you could explain to me how OSX is any more protected against viruses which simply rely on the user to run them with full permissions? I’d love to know. Then we’ll let you get back to gloating about your prized security by obscurity.
[disclaimer for everyone else: I like Macs, I don’t think Windows is perfect, yada yada, please don’t bite me]
Sort of accurate, as far as it goes. You could trick a person into deleting their home directory, as you described. Not that it’s not as easy as you said–if it’s a plain text file (a normal script) which is labeled with a .jpg extension, it simply won’t open. It’s not a valid .jpg, and has no meta information to tell the system that it’s actually an executable.
If you did include meta info (which, iirc can only be done if you make it a packaged app, so it wouldn’t come through as a file anyway, but a folder–but let’s grant it could be done), it would still require more user intervention. The OS knows that this is a script (aka, software) and will hence require an admin password before installing–a great red flag.
Also, what would be more difficult to do would be to combine this with a worm delivery system, and/or to have it install spyware, a spam relay, to hose the entire system, etc. I’ve arranged those in escalating order of difficulty. If you can get the user to jump around enough to install the app, or even include it in a fake shareware game or some such, then yes, getting an MTA running as the user would be possible. Of course you’d also have to convince them to go admin and change firewall settings.
It’s almost impossible to do anything to the system (as opposed to a user’s home directory data) unless you can convince the user to enable and login as root–highly, highly unlikely. Whereas, the large majority of Windows users (even in the corporate and Uni worlds, unfortunately) either run as admin all the time or have no password on the admin account.
FYI: you say above, “that’s how the majority of the most destructive Windows viruses have spread”; this is untrue. That’s how they’ve delivered their payload on that machine, upon arrival. Spreading themselves is the next step. Technically. Distinct problems with distinct probabilities and paths.
Anyone who’s interested can do a google search on something like “mac security through obscurity myth” to read a lot more about this.
Oh yes, I realise all this; I was being somewhat facetious. I just wanted something readable to make a point, and I can’t type in binary. And I’ll happily admit that at least part of the problem with Windows of yore was email clients (Outlook Express, I’m looking at you) that made executable attachments look innocent, but this is no more the case for (say) Outlook these days than it is for the average Mac email client.
I don’t believe an executable would need admin rights to contact the network (although I base this on my *nix experience rather than my limited Mac use). No installation should be necessary to scan for common locations of address books, and send itself onwards, nor should admin rights be necessary to execute it (unless this is a particular feature of one’s email client, which isn’t really a part of the OS). I’ve certainly managed to execute attachments on a Mac for which I had no admin access, and it didn’t seem to object too strenuously. Certainly, a firewall would cut out (or at least flag) the outgoing traffic, but again, this is just as true of Windows as it is of OSX, which is pretty much the point I’m trying to make.
Granted, although this is more a problem of usage than one of OS insecurity; MS deserve some blame for not encouraging a better user policy on installation, but it’s just as possible to run an XP machine with a secure user account as it is an OSX one. I’ll admit that I run XP with an admin-level account (at home, not at work), and I’m a postgrad CompSci researcher. I do it because there’s no particularly convenient way of running commands with escalated privileges in XP without logging out and back in, and I’m pretty confident in my ability to keep my system safe by other means. But if I get hosed, it won’t be anyone’s fault but my own. I do look forward to Longhorn, however, which by all accounts has had a lot more attention paid to user policy.
Yes, but my point was that once the user has been conned into executing the payload, the program can do pretty much anything the user can, such as email everyone in the user’s address book. And I think I’m on pretty safe ground saying that this is indeed how the most prolific viruses have spread. Of course, that’s prompted corporate email policies the world over which now forbid anything even remotely executable-looking, so it wouldn’t work nearly as well these days.
Sort of true. For example, Outlook comes with ActiveX control capability turned off by default now. However, there are still fun tricks like a current common one: name the executable payload ‘foo.jpg.exe’. Windows conveniently hides the ‘.exe’ extension, user looks and thinks it’s an image file, double-clicks, and walla! Install.
Sort of right, again. The key here is the firewall, which on the Mac requires the entry of an admin password (unless you’ve played with it previously and then left it unlocked).
Right, and that’s the key. It’s hard to be useful in Windows without being logged in as the administrator, unless you’re knowledgeable enough to set things up properly. In my experience on a help desk that supports over 100,000 users, I’d say that most people don’t manage the user accounts well. You know enough to still keep your system safe, even running as admin all the time–most people don’t.
True. I just dispute that getting the user to execute the payload is as easy to do on a Mac running OS X as it is on a Windows machine, for the reasons discussed above. And because the firewall, unless a user mucks about with it, will prevent remote control of a zombie box, the worm-virus (most of them are hybrids these days) may be a mailbox nuisance or destructive to user data but is unlikely to be of larger implication (except possibly as a timed, pre-programmed DDOS mechanism).
Additionally, this discussion has all involved taking advantage of user configuration. There’s also the issue of expoliting even a well-configured machine via “bug” type vulnerabilities; I’d submit that there are more of these on Windows (far more) than on OS X with its BSD base, for two reasons. First, BSD has been endemic on the Internet for 20 years or more, and Unix generally for longer than that. It has been one of or the major server OS for decades, has been mostly ‘open source’ (before there was such a movement), and as such the basics have already been pounded on, and mostly had their vulnerabilities addressed. Secondly, it’s more difficut, again, to affect the OS via a user account or a rogue application, as everyday apps aren’t running as root/admin. There’s a large effectual difference in installing a payload on a user account, and affecting the OS and being able to rewrite Trojans into other apps, etc. It can (it won’t always, but it can) make the difference between being able to affect one user’s data, and being able to turn the machine into a useful zombie, relay, or the like.
What does this mean, exactly? Running .Net programs on IE in Win95? Do you mean running a .NET Web Client in an IE browser running on Win 95? Because that’s not what I was talking about. I’m talking about a full Windows application running on the .NET libraries.
ok.
Outlook will still alert the user to the fact that the attachment is executable, even if the extensions are hidden. I do agree though, that the filename extension hiding is possibly the stupidest UI decision implemented in XP, and is invariably the first thing I turn off when installing XP for someone.
Hmm - not having used the Mac firewall I’ll take your word for it, although I received no such warning box when installing Opera in my user space on the college Macs (OSX 10.3, I think). I’ve got to say having to enter the admin password for every new program wanting to access the network would drive me nuts, though.
Granted, but then again as a relative power-user, I’m more likely to be annoyed by the restrictions of running with a restricted user account. It is something that needs attention paid to it (I’d never run nor want to run a linux box as root, for example), but it’s hardly the sort of gaping security chasm between Windows and MacOS that rjung would have us believe.
I think this depends what vintage Windows we’re talking about. It’s been quite a while since the last all-conquering Windows virus; a combination of Outlook improvements, corporate email policy and things like SP2 seem to have done a great deal to eliminate the “email muppet” target vector for viruses. A large part of the perception of Windows security was created in the bad old Win9x days, which are by now all but ancient history. Just as spectrum was earlier rightly complaining about preconceptions based on 6-year-old Mac software, it seems unfair to persist with Windows gripes of nearly 10-year vintage.
Depends if we distinguish between Windows and Internet Explorer (which I will make no attempt to defend). While I don’t think XP the OS is as bulletproof as a BSD variant, I do believe it to be a pretty secure product in and of itself. Once you factor in IE, then I agree, actual vulnerabilities become much more common on Windows. Properly used, I get as many successful viruses or attacks on my Windows box as I do my linux one; none. And that’s a simple matter of not using IE and installing a decent firewall. It really isn’t difficult at all, and that, to me, indicates that Windows in and of itself is not fundamentally insecure.
It would to circumvent the Firewall, as has been pointed out. Also, when doubleclicked, the OS would pop up a warning saying “This is the first time you have run the program AnnaKournacova.jpg. Do you wish to continue?” or something to that effect (don’t have the exact wording down), alerting the person doubleclicking to the fact that this was not a graphic file. There’s no way any OS can protect from a user stupid enough to click “Launch Program” after that prompt.
Windows XP SP 2 tends to do this, as well.
Not if you want to use any of the myriad of programs that only work in an Admin account environment. Plus, Windows defaults to creating admin accounts. That’s just bad all around – they’re actively encouraging dangerous behavior, and then not requiring constant reauthorization of admin actions as a protection against harm. Apple is way ahead on this mark.
Did anybody read the OP? Did you? Did you completely ignore it?
That’s what I thought.
Go back, read it again. Now. I’ll wait.
Now, let’s get back to making fun of tdn’s boss, shall we?
No, you FilmGeek, I find this hi-jack absolutely fascinating. besides, as has already been said, Macs rule, while PCs drool, and any attempt to reinforce the OP conception to the contrary would do great harm. 
Seemed to me that that was pretty much exhausted, and people have legitimate questions and an interesting discussion here… maybe it’d be more appropriate in its own thread…?
True, but these are a) 3rd party (excluding ancient MSN Messenger versions), and b) diminishing in number (I certainly don’t think I’d describe them as “myriad” - could you give some examples?). The habits of crap developers can’t entirely be blamed on MS. Again, I think this is a case of Windows the user experience as contrasted with Windows the OS itself. The former could still use a lot of work, the latter is pretty sound, IMHO.
Yep, I agree, and acknowledged as much (as have Microsoft, even). But the transition from what was (and let’s be honest here) a complete pile of shit in the form of the Win9x line to a proper OS requires a fair bit of changing of user habits. While I think it’s obvious that MS bottled it in choosing to deal with user accounts as they did, you can certainly see why they did so. Switching straight to an admin/limited user model would have caused a hell of a lot of user confusion, and while it’s easy to say in retrospect that it would have been worth it, the downsides at the time must have seemed considerable, not least in terms of backward compatibility.
As a by-the-by, I work in a CompSci department split approximately 45/45/10 percent between Windows 2K, Linux and OSX machines. No-one seems to bother evangelising anyone else, and no-one has conspicuous or disproportionate problems with their system of choice. It’s quite nice, really. Weird how when everyone gets on the internet where the choice of OS becomes even less relevant, it suddenly gets all heated. 
Undoubtedly. There are some interesting new technologies making their way into Longhorn (e.g. virtual machine abstractions for protected execution environments) that I believe will make MS a security laggard no more, though. Basically, they’re paying attention to security these days, as are a lot of users, which has already made the world of difference. Now, if only we could convince MS to just kill IE, it’d all be great.
Yeah, I read it. I thought the motion that tdn’s boss is a poopyhead had been carried by now, though.
Oh, sorry about that. A bit more specifically: Connections across common ports (outgoing http and https, 110/25/587/465 etc for common email functions, outgoing telnet and SSH) are allowed by default and don’t require any intervention. But if an app tried to, for example, listen on a random high port (8194, or something) as most current viruses end up doing, it would get nothing. It could still send out via a common port (like 25), assuming such traffic isn’t blocked at the network level.
Somewhat true, yeah. Two things. First, there are still many, many people running those systems, and running them unpatched. That’s irrelevant to a discussion of pros and cons of a new system today, but this second one isn’t: XP had similar issues until the release of SP2. The default installation has become much more sane with SP2, but there are still, as you note below, more problems with it (as you noted below) than with a BSD variant. Tangentially, for what it’s worth, I’d agree that the relative security and lack of viruses on OS9 and earlier Macs was mostly security through obscurity–the BSD base and some nice interface bits (like requiring the admin password for potentially truly dangerous actions) are the key.
Somewhat agreed, again. What’s true is that it seems (so far) that the XP firewall product does perform its job adequately (and various third party ones, as well)–but that doesn’t say anything about the security of the OS underneath the firewall, of course. You’re right, absolutely, that a Windows box can be responsibly secured. But, for the average user, out of the box and without a lot of fiddling, the OS X install is a better balance of secure and usable, I’d say.
The IE thing you mention is part of the key–not using IE on the net is a great step but still inadequate. You’re using it anytime you’re using the computer, and sometimes you’ll be explicitly on the web with it no matter what–such as using Windows Update. It’s a serious vector and it’s hooked thoroughly into the OS such that exploits for it easily become OS exploits.
Like you’ve noted it’s a multi-prong approach. You can make up for the various problems if you know how to configure the machine, but again, for the multitudes out there who use it pretty much out-of-the box, the problems are there…
So very true! Just to recap: I think Windows made a lot of dumb decisions in the past (maybe for at-the-time good reasons, as you noted), and that we’re still suffering today. I agree that properly configured it’s not much more vulnerable than BSD variants like OS X (just inasmuch as its less time-tested, has-more-exploits-to-yet-be-uncovered). I think that out-of-the box, using it the way the average user does and is “encouraged” to because of its defaults and limitations, it is less secure. You’re right, in general, that for most of the nasty crap that goes around today the solution is in the interface choices and user education more than the OS itself, at this point.
spectrum, it is against the rules to wish death on another poster. Consider yourself warned.
Okay, okay. Sorry, Mockingbird.
However, I would like to point out that in a properly-wired house, that shouldn’t kill a person. Really, it should only be a very bad shock. At least, according to my EE professor from way back when.
In my experience, people who make statements like these have never done anything remotely resembling low-level kernel programming.
And let’s keep the terminology clear: any platform can be host to a trojan, where you trick a user into running a program that nukes their data and does other crazy stuff. But a genuine virus or worm, where the malware installs itself, propagates itself, and actively prevents its own removal is a whole 'nother ball game.
…yet, amazingly, keeps popping up on Windows PCs and Microsoft servers more than their peers using MacOS X, Linux, or Apache.
I will make one final attempt:
spectrum do you have any comment on my post above? (post #97).
I don’t particularly have any problems with Mac’s but the “Mac snob” attitude just grates on my nerves.
Is there a reason that you will not answer me?
Unclviny
I see nothing in post 97 to reply to.