Brad DeLong's Semi-Daily Journal (2004)

Git yerself a Mac.

As a Mac person who is trying not to be too smug, is their relative security a product of market share or of better security measures?

Every operating system has security flaws. It just so happens that Microsoft's installed base is more pervasive, so it's a more attractive target.

Of course, the fact that Windows sits on top of an aging code base that's there for backwards compatibility and because it's simply too expensive to rewrite everything makes Windows a somewhat easier target, too.

There have been dangerous Mac security flaws, including a recent one that involved web pages that could launch Help, which, in turn, could run malicious scripts.

Mac is still safer, because it's better architected AND it's a less attractive target.

Why do you say the Mac is better architected?

He says:

"We pay Microsoft for specific services and capabilities, and we need to start holding the company to a higher standard. And we need to demand better security..."

The problem is, with the shrink wrap agreements and eulas, how are you going to hold MS accountable? "If your computer breaks, it's not our fault" is the basic breakdown of the small print.

You can switch, but it's hard for many people to give up what they know. You want me to trade my gas-o-leen car in for an ee-lectric?

And to the smug Mac users (full disclosure: I'm one) the reason our pretty PowerBooks remain virus free is that the virus writers don't care to infect the 8 of us using OS X. Oh, OK. I know. You get my point, though.

Nonsense.

Mac OS X is a MUCH softer target than WinXP. Just as Mac OS 9 and earlier was as soft as Win9x (both were totally insecure, so to even compare them for attack potential is pointless).

It's just that the installed base of Windows is so much larger than that of the Mac. Virus writers will always target the PC over the Mac for the simple reason that when they succeed, they get 9x the payoff, and it is not (yet) 9x as hard.

One would think that an economist would understand this.

Note well, your Mac is only safe from virus attacks because no one is trying to attack it

"Mac OS X is a MUCH softer target than WinXP"

A source or citation or link or something?

Microsoft is certainly attacked the most because it is the de facto standard. But is just plain wrong to pretend that that is the reason Microsoft has major security problems.

There two major issues that Microsoft itself creates:

1) It chooses not to get tough with regard to bone-head buffer overflow and stack overflow errors. Its code is, litterally, riddled with these errors. This type of exploit has been known about since it was first used to exploit Unix 20 years ago. Only very recently has MS made any concerted effort to fix these holes.

2) MS had, and to some degree still does have, a policy of always choosing a super easy user experience over any security feature. Until recently, it wasn't even possible to get a version of the home Windows software that understood file permissions. And even in XP, the out of the box install makes little if any pretense at securing itself.

Add to that the danger of a computer monoculture, and you have a recipe for security nightmare. AKA, modern Windows computing.

And saying MS is doing more for computer security than anyone else is like saying that the firefigher arsonist is doing more than anyone else to put out fires. Even if true, the guy still started the damn fires.

But most security problems experienced by end users don't really have much to do with buffer overflow problems. They have to do with executing the wrong email attachment, being tricked into clicking OK on the wrong web site, installing some downloaded program that contains a virus/trokan/spyware/etc., having an open port that gets spied by some script kiddie, buying a wireless network and leaving it unencrypted, and so forth. These problems occur far, far less with non-windows OSs simply because virtually nobody bothers to target them with these kinds of attacks. And if they did it wouldn't work well because of their rarity - it would be rather difficult to spread quickly if you could spread only to Macs, or only to the rare Linux desktops using a particular Linux app.

The example from Brad's post sounds like exactly such a case - a trojan. Brad, I don't know if you have any idea what a trojan is, but the term is generally used to refer to a program that gets onto your PC via trickery and then actively or passively allows it to be compromised by other means. It doesn't do anything until you run it on your system - generally after having downloaded some program off the net, or clicked on some attachment, that looked "safe" at first glance. Because a trojan normally relies on the user to execute it locally, it bypasses most of a system's normal lines of defense. (This is why it's called a trojan... you let it through the walls). Nothing fundamental to the OS prevents trojans from working on Mac OS X or Linux.

Sure you could run Linux with all the "perfect" security settings on an account that is isolated from root privileges. You could also run Windows 2000 or XP Pro as a low-privilege user with most of the file system locked up. Very few non-experts bother to do either, and both strategies are still vulnerable to trojans anyway because so many legitimate programs require the user to be logged in as Administrator/root in order to install.

Heck I can write an Applescript applet that will format your Mac OS X hard drive silently if you're silly enough to run it. There is very little security in the world that can prevent the damage a trojan can do if the user is foolish enough to run binaries from a unknown source.

This may shock and awe some of you, but Paul Thurrott actually does own a Macintosh laptop, and I believe he is considering purchasing a second one to replace one he sold. He talks about this on his other website -- http://www.internet-nexus.com

"Mac OS X is a MUCH softer target than WinXP"

Nonsense. The reason why the reverse is true - and incidentally, why Paul Thurrott's machine got trashed - is that in keeping with the UNIX culture, OS X users don't get to run as "root" unless they really, *really* go out of their way to do so, and the default privileges they *do* have don't permit them to trash their machines.

It really is shocking that a Windows "guru" like Thurrott lacked the good sense to be running with an ordinary "User" account, and to rely on the "Runas" command whenever he needed to have some administrative task done. If a guy with such a high profile can't understand something that's been drummed into any half-way security conscious person by CERT, Bugtraq and Microsoft itself, what is everyone doing looking up to him as if he knows what he's talking about? Not that I've ever taken him seriously anyway - his site is a good place to go for insider screenshots of Windows builds under development, but that's about it.

PS - In case anyone's wondering how I can be so certain that Thurrott was running under a privileged account, the explanation is simple enough; ordinary "User" accounts lack sufficient privileges to make changes to the %PROGRAMFILES% and %SYSTEMROOT% directories, to the HKLM portion of the registry, or to any part of the OS that can lead to a trashed installation. Had he been using an ordinary account, all he'd have had to do was logout, login as Administrator, and then wipe the "Documents and Settings" subfolder for his infected account.

Anyone remember the (now presumably unemployed) consultancy analyst who pronounced IIS to be fundamentally insecure?

What can we do today?

1. Insist that antivirus defenses be part of the OS. Oddly enough, this is the one product Microsoft has resisted assimilating, presumably because they (like Apple) fear the added liability. Sorry, this is something we CAN insist on. Antivirus software is SO intrusive it needs to be maintained by the OS owner.

2. Consumer routers need stateful inspection and antivirus software.

3. Switch to OS X. Like most OS X users I don't even bother with antivirus software - yet. I do monitor activities closely, and I may turn my av s/w back on in the future. I don't use Office or IE on my Mac, if I did I'd need antivirus software.

4. On Windows remove Outlook Express and lock down IE very strongly. Use Firefox or Mozilla for everything, reserving IE for a few things FF won't work on. Use Eudora, Thunderbird, or an alternative for email. Do keep antivirus s/w current on Windows, updating definitions at least daily. Set XP to automatically apply critical updates without asking for user intervention.

5. Keep multiple backups on multiple media with periodic backup archiving. (This is VERY hard with today's storage needs, even I don't do this one completely.)

PS. I appreciate the suggestion to run as "User", but I find that EXTREMELY annoying under XP. Some apps don't save preferences, etc. I may try it again, with Fast User Switching so I can can get to an admin account without disrupting my work.

OS X is much better in this regards. One can now access most admin functions when logged as USER by entering an admin pw. It's not quite perfect, a few things require logout or sudo at the command line, but it's 10 times better than XP in this respect. (Since 10.3.3 OS X definitely passed XP in overall value, usability and reliability, prior to 10.3.3 I ranked them as equal with XP being slightly more reliable on good hardware. I use both very heavily, but XP most of all.)

Brad,
One gets the sense that you cherry pick articles critical of Microsoft. If Microsoft comes out with an operating system that is better than the Mac, will you switch on the merits, or stick with your team?
One gets the sense this is chest thumping of a very geeky variety.

As a person who sells computers for a living, i can tell you the two things i hear from virutally every customer, 1) I want the cheapest, 2) I want the easiest. Everyone who would ever think to be involved in a discussion on this level about computers and computer security would consitute 1%(a guess of course) of actual PC buyers. People don't think about security on the computer until *after* something bad happens. If you want security, it will have to be legislated, in the same way that most of the other security features around us are (seat belts, air bags, anti-lock brakes, fire retartandt cristmas trees...and on and on and on).

You could pay the nice folks at Xandros or Novell or Sun or Redhat for a spiffy desktop Unix of one flavour or another, too; Apple hasn't got the only one.

Because Unixes are a cloud of co-operating components, rather than a single monolithic object, they're easier to change. Linux can add the NSA developed 'Secure Linux' role-based security model, and it is relatively invisible to the end user. (It might change which programs you could run, or how.) Apple could add -- as Sun is adding, with Solaris 10 -- a different file system, and an end user wouldn't notice at all. You can use different software firewall technologies by switching which set of kernel modules you're running, and that's all you're going to affect.

Because organization fundamentally constrains how you handle complexity, and because Microsoft uses the Red Army (all support goes to whomever is succeeding the most) organizational model, bits of Microsoft have strong incentive not to talk to other bits of Microsoft. This inevitably leads to worse software, because operating systems, networking, and security are problems in handling such tough complexity that we, as a species, have only got a limited number of people who can handle the problems at all, and an even more limited number of people who can do a really good job. (Reasons to be very glad for the Chinese and Indian university computer science programs, number three -- more geniuses means better software.)

The Unix model -- and it was the Unix model well before the Free Software folks formalized it -- assumes that you know perfectly well you have only so many geniuses. You accept this, and agree that, over all, your risk is much lower and your benefit is much greater if you give the output of your geniuses away, in return for the output of everyone _else's_ geniuses. That way, the really tough problems get collaborative solutions which everyone can use and no one faction, corporation, or entity could possibly develop or pay for. Equally important, the preferred solution is settled on by use, rather than availability or economic compulsion, so the computational ecosystem stays heterogeneous and doesn't pick up the nasty ecological consequences of being a homogeneous host environment for pathogens.

If you're Microsoft, though, yes, you have a lot of money, you can't hire all the geniuses; you certainly can't take your tens of thousands of employees and change their deeply entrenched cultural model. So you're stuffed; you're trying to handle ramifying complexity with a diminishing relative capacity to do so, as more and more human activity starts being mediated through computers and generating ever-greater amounts of complexity that needs to be handled somehow.

For a really trivial example, consider having to get left-to-right and top-to-bottom script support into a text editor; this isn't trivial, and as the Chinese and Hebrew and Farsi speakers start demanding real local language support, you have to do it.

This general complexity handling problem is going to whack Apple, too; they are trying hard to stick to a closed shop model, and they're trying hard for tight GUI integration, which is usually a mistake in security terms. They have the advantage of starting with a better OS model and being able to exploit the open-shop Unix model for some of their core technologies, but eventually the complexity burden is going to squash them, too.

Or they're going to become an appliance company, and get out of the desktop computer business, or give up on the closed shop. Hard to say.

But, the voting computers will work perfectly, of course.

"One gets the sense that you cherry pick articles critical of Microsoft."

Well, if I may be forgiven for saying so, duh. This is a weblog and the proprietor doesn't claim Olympian, or even Kent Brockmanesque, objectivity. To argue that he's arguing is not a sufficient rebuttal.

Graydon: "The Unix model -- and it was the Unix model well before the Free Software folks formalized it -- assumes that you know perfectly well you have only so many geniuses. You accept this, and agree that, over all, your risk is much lower and your benefit is much greater if you give the output of your geniuses away, in return for the output of everyone _else's_ geniuses."

While this may indeed have turned out to be the Unix model -- and I worked at Bell Labs when Unix was moving out of research area and into use by the rest of the technical staff -- I regard it as a fortuitous accident. At that point in time, AT&T was constrained with regard to entering new lines of business. Given that they made efforts to generate revenue from Unix once those constraints were removed in 1984, it seems more likely than not that, if they could have entered the commercial software business earlier, they would not have shared Unix so readily.

I spent considerable time and effort in 1988 and 1989 "liberating" a piece of Unix software so that it could be more widely distributed. It clearly had no commercial value -- but it took many, many hours on the phone with the AT&T lawyers to convince them that sharing it with a larger community was a reasonable thing to do.

"As a person who sells computers for a living, i can tell you the two things i hear from virutally every customer, 1) I want the cheapest, 2) I want the easiest."

Well the absolute cheapest is Linux. I have two desktop linux distros which I do development on, Suse and Lindows. They're both excellent. My small software company has 3 machines. The .Net machine (hardware plus software) cost 4X as much as my bestest linux.

My sister's XP just went through the exact same thing 2 days ago. She had to wipe everything out and start from scratch.

The more I know about XP, the more I want to stay the hell away from it. 98 may be old and stupid, but it has been virus/Trojan/worm free for 4 years.

"It's just that the installed base of Windows is so much larger than that of the Mac. Virus writers will always target the PC over the Mac for the simple reason that when they succeed, they get 9x the payoff, and it is not (yet) 9x as hard. "

three words: capabilty based security.
http://www.erights.org/index.html

and
http://renoir.info.ucl.ac.be/twiki/bin/view/INGI/MILOSProject

the company doing the most for security: http://www.combex.com/

"The Unix model -- and it was the Unix model well before the Free Software folks formalized it -- assumes that you know perfectly well you have only so many geniuses. You accept this, and agree that, over all, your risk is much lower and your benefit is much greater if you give the output of your geniuses away, in return for the output of everyone _else's_ geniuses"

Unix is not intrinsically more secure than Windows, they are both ACL secure systems. In the Unix case ACL security is layered on top of the mode-based security.

Timothy Klein writes: "2) MS had, and to some degree still does have, a policy of always choosing a super easy user experience over any security feature."

Actually, I think they have had a policy of choosing a super-easy-for-commercial-exploitation approach over any security feature.

ie, they'd rather leave in openings, back doors, and exposed hooks, that make Windows attractive for companies, even if that makes life unpleasant for users.

That's the only explanation I can come up with for why it took so long for them to put a popup blocker in Internet Explorer. They didn't put it in because businesses wanted to be able to put up popup windows in front of Windows users.

It's not like it's a difficult feature to implement.

Graydon writes: "This general complexity handling problem is going to whack Apple, too; they are trying hard to stick to a closed shop model, and they're trying hard for tight GUI integration, which is usually a mistake in security terms. They have the advantage of starting with a better OS model and being able to exploit the open-shop Unix model for some of their core technologies, but eventually the complexity burden is going to squash them, too."

Then again, the complexity handling problem was *already* whacking them when they bought NeXT and opted to scrap the old OS and move to a Unix/Mach-based system.

So, hopefully, they've taken the issue into account, to some extent, in their work on OS/X, which may help them handle problems that pop up in the future.

Chris Marcil,
I really have no interest in rebuttal. I think De Long is a Mac cheerleader and will root for his team regardless of what they do (and I wish the future were brighter for Mac OSes, but I think they are not).
In this case, I find it particularly odd that practically al of the criticisms of the software are a direct result of market success (viruses), or, a direct result of business decisions that got MS market share (backwards compatibility).
I am glad he likes his Mac -- I hope he does not find the switch to Microsoft software too difficult or too embarassing when he does so in two to three years.

theCoach,

"I hope he does not find the switch to Microsoft software too difficult or too embarassing when he does so in two to three years."

I'm not so certain that I will be using Microsoft software in three years time - speaking for myself as a current user of Win2K. It's not that I dislike it, although I am still appalled at how many security bugs it has. (There were 30 odd discovered last year.) It's that 2000 will eventually no longer be maintained by Microsoft, and will encourage their users to go for another, "newer" MS - XP or (possibly) Longhorn. I could probably use 2000 for another year - but if MS give up bug-fixing, well, it's not safe to stick around.

I have no wish to upgrade to a newer MS system. I'm unimpressed with XP - it looks more colourful than 2000, but that's all. (It's also a bit slower.) And Longhorn (which MS have some shiny new graphic screen and database-like filesystem) will probably end up like a buggy, bloated, piece-of-shit OS that will take 3 GHz to run. Methinks some geek will find 5 holes in the filesystem within 2 months of production. I don't want it.

Maybe Linux will be a little bit easier to install by then. Or that the Mac's will be much cheaper - MacOSX sounds good, from what I heard. They may not be as easier to use - but they sound quicker than MS. And more secure.

Peter

Need eComStation.
More stable than win and easier than Linux

www.ecomstation.com

Michael --

I'm not saying that they did it on purpose; I'm just saying that this is what happened.

Lots of good stuff happens due to lucky accidents, and I'm extremely grateful for that one.

Bryan --

Doors are doors, too, but there's still a distinction between how much security benefit one derives from a carefully installed steel door and an interior grade chunk of hardboard with spacers.

Peter --

You can buy a pre-installed linux PC these days.

No one here seems to be experienced in IT security. As someone who does deal with that area virtually every day:

1. Security is the responsibility of the OS vendor. Users should not have to understand how the OS functions to be able to work safely.

2. The OS vendor must not provide easily exploited holes in their OS, or in primary applications such as Outlook. Microsoft has failed on this front for years.

3. The OS vendor may provide features which in certain circumstances could let users cause problems. The vendor must then allow the user to determine whether the feature is enabled, AND by default prevent it from being exploited by informing the user what's happening. That way the user can say (e. g.) "no, don't run this software I never heard of before."

This notion of "popularity" of Windows is a red herring. The fact is that the exploits are numerous and have been exploited to the extent that there are now GUI-based tools for crafting your own flavor of a particular exploit. In other words, it's not even necessary to know how to break into something by hand; just download the tool off of the Internet. Who needs to learn how to pick locks (which means knowing how locks work) when you can just get the master key for 40% of the locks? (Assuming 70% of PCs run Win2K or XP, and most of those aren't patched correctly.)

In conclusion: any security precaution can be bypassed by a human who so decides. A couple of years ago, I was in a hotel room asleep when the maid, without verification, let in a young man who pretended he'd left his key in the room. He took off running when he realized I was in there. (I checked out fifteen minutes later and made a big stink.) With respect to computers: assuming its employees don't behave irresponsibly, I don't expect my hotel to use easily-picked locks on its rooms.

Hmmmmm interesting

zapraszamy po czadowe gry java na gry java,
po dzwonki polifoniczne do dzwonki
polifoniczne oraz po komputery laptopy notebooki
laptopy.
You can find the best nokia ringtones and logo at
nokia ringtone, get the best melodies for your
nokia mobile phone and get cool nokia logo at nokia logo and backgrounds now
 

!!!

Hmmmmm interesting

zapraszamy po czadowe gry java na gry java,
po dzwonki polifoniczne do dzwonki
polifoniczne oraz po komputery laptopy notebooki
laptopy.
You can find the best nokia ringtones and logo at
nokia ringtone, get the best melodies for your
nokia mobile phone and get cool nokia logo at nokia logo and backgrounds now
 

!!!

Where can I find out when this was posted?