“Over the past year, I have advised readers who are fed up with the plague of viruses and spyware on Windows PCs that one way out of the mess is to switch to Apple Computer’s Macintosh. There has yet to be a report of a successful, real-world virus for the Mac’s current operating system, and there is little or no known spyware for the Mac.” says Mossberg.
While Switching to Mac Will Improve Security, It Isn’t for Everybody
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
So, what hes saying… is that a Mac will fit the bill for what 90% of people use their computers for.
So if you’re a hard core gamer or a person who works in a very specialized industry that doesn’t have the idential, equvilent or better alternative that is only available on OS X… THEN maybe you would be best suited to stay where you’re at. Otherwise, OS X is very much something that you should be considering.
I am a Mac user and I love Mossberg’s column. As usual, he is dead on. There are some things Macs do better than Windows and there are some things you can only do on Windows (usually just specific programs). And, sure, the UI is slighly different and there is a little bit of a learning curve.
In my opinion, it’s worth switching for most everyone, but there are always some who don’t want to or can’t for one reason or another.
Personally, I wouldn’t have opted to link to this article as the title on reinforces the notion that most people have reason to stick with what they’ve been using for reasons other than the fact that you’re simply comfortable with it, but the gist of the actual article (unfortunately something the trolls rarely read when it comes to Apple news) actually supports the argument that the vast majority should be considering a Mac.
Unfortunately, it seems that there is a large group of people that visit this site who post on Apple-centric news who have no other agenda other than to discredit Apple.
What it boils down to is if you’e interested in a better computing experience, and dont mind waiting for the occational good game (and being excluded entierly from the lame ones) and maybe also missing a few apps in niche vertle markets but also want to be totally unbothered by virus concerns whatsoever all while paying the same or less than an equally equipped PC… then a Mac is for you.
I just don’t understand why the single button mouse is even an issue… Why does it need to be brought up?
If a two button wheel mouse means that much to you then use one! It’s not like the OS prevents it.
I’ve noticed an interesting trend as of late… More and more people are not only considering buy a Mac but are doing so despite previously being previously being vocal about never wanting to buy one in the past.
Being a Mac users myself, I find it interesting how so many of them come to me after they’ve made the switch and realize how so many of the things they thought about the Mac (which kept them from considering it in the past) were totally wrong and that they didn’t realize why I had been so devoted to going against the grain all this time.
I’m coming across so many switchers these days that what’s funny about it is that the people who were so extremely vbocal against Apple and the Macintosh in the past are now being major advocates for the platform.
The reason the Mac has no spyware is because it’s so insignificant, not due to some magical security of MacOS X.
After all, this is the OS that suffered several no-confirmation remote code execution exploits in the integrated browser due to core design decisions in the desktop. I wonder what that reminds me of?
The whole argument about using one mouse button stems from the fact that Windows REQUIRES 2 buttons to be productive. To use only one button would be to limit your capabilities. For that reason so many WIndows users can’t fathom why Apple has decided to restrict their mouse to 1 button. Apple has always refined their technologies so that it requires the least amount of redundant technology… which includes mice. They tackled the problem of needing a modifier button by refining the OS in such a way that using a single mouse button would make you more productive. When I switch to the Mac a few months ago, I didn’t realize this until I tried using the single button mouse for a while and used the OS correctly as it was meant to be used. I’ve since discovered that I am more productive with Apple’s single mouse button than when I use a mouse with multiple buttons. Of course Windows users won’t understand this unless they actually use OS X and also do away with their biases beforehand.
“The reason the Mac has no spyware is because it’s so insignificant, not due to some magical security of MacOS X.”
There are different schools of thought on this. Obviously you adopt the security by obscurity argument. That argument doesn’t hold up however because it would mean that Apache would have more exploits than Microsoft’s servers as a result of being more popular… but they don’t. Apache continually proves to be more secure.
Although the obscurity argument does weigh into the picture to some degree… the reason why OS X is more secure than WIndows is because OS X does not ship with any ports open by default while WIndows ships with several on.
— QUOTE —
The reason the Mac has no spyware is because it’s so insignificant, not due to some magical security of MacOS X.
— QUOTE —
And your source for such information is … ? Speculation? Straw poll of the spyware writers union?
— QUOTE —
After all, this is the OS that suffered several no-confirmation remote code execution exploits in the integrated browser due to core design decisions in the desktop. I wonder what that reminds me of?
— QUOTE —
Quite a bit of difference between a BUNDLED browser and INTEGRATED browser. Safari is BUNDLED with Mac OS X, while IE has been INTEGRATED into Windows.
And I believe you are referring to the Help Viewer issue, which has nothing to do with the browser at all other than a convenient vehicle to deliver the URLs.
I bought an iMac (flatscreen) and had all these same concerns about switching… What am I going to be missing out on, what am I going to lose etc etc etc.
What I’ve since found is that while its true that I may have to wait on a few game titles (and as someone else mentioned) will miss out on most of the lame software nobody uses, I’ve found that OS X has the same software or alternatives in every product category that most people use that are equal or better then their Windows alternative.
A friend of mine didn’t believe me and to prove it, I let him take away my PC for what what was origionally supposed to be a month to show that I wouldn’t need Windows for anything… what was supposed to be a month has since turned out to be 4 now. While I have since asked for my PC back… its only so that I can put it up on ebay.
I bought an iPod last week… (first Apple product I’ve ever owned) and decided to buy a Mac mini while I was at it (first Mac I’ve ever owned) . When I brought it home, I found every piece of software that I currently use on Windows for my Mac. Granted, that surprised me… but when I found that there are several apps that are Mac-only and are better than what I’ve used on Windows (at least in my opinion) I was blown away.
For any potential switchers out there… make sure to check out http://www.versiontracker.com“>version . There you will find every piece of software to any application you will ever need.
you can count me +1 for fitting that profile. i used to be a very vocal anti Mac person. my experience with it was pre OS X. I figured OS X would be more of the same.
That was then.
Now I find myself impressed with OS X (eagerly awaiting Tiger) and am attracted to the UNIX (FreeBSD) roots. Add in that I can run my favorite apps (some of which are through the crummy X11 interface, but still), and I’m game. I now find myself trying to pawn my 1 year old machine on my wife so I can ‘upgrade’ to a G5.
What it boils down to is if you’e interested in a better computing experience, and dont mind waiting for the occational good game (and being excluded entierly from the lame ones) and maybe also missing a few apps in niche vertle markets but also want to be totally unbothered by virus concerns whatsoever all while paying the same or less than an equally equipped PC… then a Mac is for you.
What I highlighted in bold is the most important thing, because I would imagine that if you use those apps in ‘niche vertle markets’, Macs are going to be all but useless. I mean, even if I had virus/security problems in Windows (which I don’t), what good would it do me to switch to a Mac if I’m using these apps? Either I have the apps I need with security issues, or I don’t have the apps I need with no security issues. I think if that were the case, if I wanted to make the security issues go away by getting rid of my computer, I’d probably just do without a computer altogether instead of buying one that doesn’t do what I need it to do.
This is the thing that anti-Windows zealots fail to understand – as flawed as the OS is, it still is a ‘necessary evi’ for some things. But I would agree that the majority of people really don’t need it.
@Sam:
There are different schools of thought on this. Obviously you adopt the security by obscurity argument.
Please, Apache has nothing to do with this. Apache has a track record of very few security problems. MacOS X does not. The two cases are not comparable.
@Petrokalis:
Quite a bit of difference between a BUNDLED browser and INTEGRATED browser. Safari is BUNDLED with Mac OS X, while IE has been INTEGRATED into Windows.
Safari comes with the OS, is the default browser, and automatically downloaded and integrate arbitrary native code into the system. This sounds very much like IE, which comes with the OS, is the default browser and is able to automatically download and integrate arbitrary native code into the system (via ActiveX).
The exploits I was referring to are indeed not only the help viewer problems (which Microsoft also had) but the one where an internet enabled DMG would be automatically mounted and any URL handler (or file assocation) contained within would be linked into the system. Broken by design.
This does not inspire confidence.
“Please, Apache has nothing to do with this. Apache has a track record of very few security problems. MacOS X does not. The two cases are not comparable.”
Are you kidding? OS X has just as few if new fewer.
The example he provided is very relivant because both are suseptible to viruses and yet neither has many. The difference is that while one dominates, the other does not… yet both continue to have similar security. That blows a hole into your argument that security issues are increased as the product grows.
“Safari comes with the OS, is the default browser, and automatically downloaded and integrate arbitrary native code into the system. This sounds very much like IE, which comes with the OS, is the default browser and is able to automatically download and integrate arbitrary native code into the system (via ActiveX).”
You’re wrong. Safari doesn’t include code that is integrated into the operating system that specific only to web browseing… though it does utilize operating system technology that is unspecifric to the platform. The difference is that Microsoft’s browser strategy makes any insecurities that the browser might have… now specific to the operating system. Alternatively… if ther were any security issues on Safari… they would only be specific to safari.
“The exploits I was referring to are indeed not only the help viewer problems (which Microsoft also had) but the one where an internet enabled DMG would be automatically mounted and any URL handler (or file assocation) contained within would be linked into the system. Broken by design. “
The only way for a problem that you descibe to occur on OS X… is if you authorized the DMG to mount and install an application. Windows on the otherhand allows applications to be installed in the background without such authorization.
No operating system is secure as long as the user is gullible enough to leave the back door, front door and all the windows open.
“Safari comes with the OS, is the default browser, and automatically downloaded and integrate arbitrary native code into the system. This sounds very much like IE, which comes with the OS, is the default browser and is able to automatically download and integrate arbitrary native code into the system (via ActiveX).”
Safari *does* come with the OS but in case you’d like to remove it, drop its icon from the Applications folder to the bin. Try doing that with IE.
Also, I wonder where you got that bit about “automatically downloaded and integrate arbitrary native code into the system”. What kind of “arbitrary” code is integrating Safari into the system? What kind of code is Safari automatically downloading? Besides, the comparison with ActiveX is pointless. ActiveX is in fact a COM object whose *native* code is executed in a browser window (COM objects are supported in many other places throughout the system) and that has access to the same methods, classes and whatnot as any other piece of software running in a non-browser Window. Can you tell me how does that compare to Safari?
For your reference, there is quite a lot of material about ActiveX in the MSDN: http://msdn.microsoft.com/workshop/components/activex/intro.asp (you might want to take a look at it next time you make this kind of comments)
The exploits that you mention had nothing to do with Safari executing external untrusted code in its window but instead, were related to Safari’s handling of urls and the helper tools assigned to them.
“This is the thing that anti-Windows zealots fail to understand – as flawed as the OS is, it still is a ‘necessary evi’ for some things. But I would agree that the majority of people really don’t need it.”
Its not that people are anti Windows… (you make it sound as if there isn’t reason to dislike Windows in the first place but instead that people dislike WIndows simply for the sake of dislikeing WIndows) its that people are pro-other OSes. If Windows happens to lose as a result of that… it doen’t make that person anti Microsoft.
With that in mind… you are right. There are very specific markets that Apple doesn’t have a equivilent option to, but all to often people think that there are far more of these than there actually are. For example… I know several people who say that they will never use a Mac because there is no good audio editing software available for it. Meanwhile, what they mean is that there is not the specific audio application that they are currently using available for OS X. Its an ironic comment because Apple is not only the best application for audio editing… but it also has the best audio editing software available to it… which is OS X only.
Though there is genuinely a certain subset of computer users that genuinely can’t use a Mac because the software isn’t available, I think the niche vertle market argument credited so often as the main reason one should stick with Windows is most often the result of ignorance with what software is available for the Mac….
I just don’t understand why the single button mouse is even an issue… Why does it need to be brought up?
I wonder, too.
After years of using a 3-button-mouse with OS X (actually a 5-button mouse, but I simply couldn’t find any use for the extra buttons), I have now switched to using a graphics tablet instead, which only implements a single button comfortably. And as I found to my own surprise, Ctrl+Click is just as convenient as having a second mouse button.
I dont know what he’s smoking but:
1) windows laptops are the lightest ones ? are we comparing apples to apples? All windows laptops that I have seen that are ultra light are (1) more expensive than mac laptops and (2) not in the same league as other laptops
2) one button mouse – wow! what a serious flaw! All these years I had survived with a one button mouse. I only bought a multibutton mouse for games.
3) Rhapsody and Napster – yuck. if you use those…what can I say 🙂
4) Whinning about financial software – it does exist one the mac, and no the mac version, just like office, might not be the exact same as the windows version, does this make you unhappy? Please grow up
5) If you use your PC mainly for games, then just stick to your PC :p
Bottom line: You can switch to the mac if you want to, silly little excuses are just that – silly little excuses.
“Safari *does* come with the OS but in case you’d like to remove it, drop its icon from the Applications folder to the bin. Try doing that with IE.”
You can do exactly that with IE, just drop the Internet Explorer directory in the recycle bin. That won’t remove the MSHTML rendering engine of course, but then deleting Safari won’t remove WebCore either. So they seem pretty similar to me.
Also, I wonder where you got that bit about “automatically downloaded and integrate arbitrary native code into the system”.
Why don’t you look into the (well documented) exploits that I described. They took several months to fix!
are its users. That is, the Mac users who insist that the “Apple experience” is something out of this world, and that anyone running WinXP must be suffering constant crashes and virusses and get nothing done at all. Let me tell you, I use both Macs (PB G4, Panther) and WinXP (IBM TP41P) machines extensively at work, and there is really very little substantial difference doing most of my work. I just don’t see what is soo special about that all these Mac users are constantly raving about.
I’ve been a Mac user since the days of System 7, I work in the Pre-Press Industry. From a personal viewpoint using @ least a 2 button or preferrably a 3 button wheel mouse is the way to go. When I upgraded my machine @ home last year I bought a Microsoft Wireless Desktop, best investment I’ve ever made. When I go to work now and use the Apple gear I feel retarted. The Apple gear does look great but honestly if you want to get full benefit from MacOS X buy an alternative keyboard and mouse with a wheel. I think Apple have to seriously look at updating their input periphirals, I cant believe the price they can charge for something that doesn’t even take best advantage of their magnificent OS…
“I just don’t understand why the single button mouse is even an issue… Why does it need to be brought up?
I wonder, too. ”
To me its just a matter of convienance. I have used macs quite a bit (I even started using macs before Windows) and I just find it more ligical and natural to have the second button on the mouse rather than use the Ctrl + click.
Even if I could use all my programs on a Mac, I would still stick with a Windows machine. Part of it is that how Windows operates just makes more sense to me as a user. One of the major things is when you have a program open and you can still see others open behind it (i think its called MDI). This just bugs me and I like how when I have a program like Photoshop open its just a blank background covering up everything thats open behind it.
Its an ironic comment because Apple is not only the best application for audio editing… but it also has the best audio editing software available to it… which is OS X only.
Since Macs are a lot friendly to audio professionals than Linux, I know that high-quality software is available. However, I’m wondering as to which audio editing app you speak of? I wonder how it compares with Adobe Audition 1.5, which is pretty much the only audio editing app I have ever used, unless you count Total Recorder
Ya know, I was in Fry’s the other day, and one thing I found ironic is that Apple has all this badass hardware, but then they include a SHITTY keyboard and mouse!!! Even if a one-button mouse doesn’t bother you, I don’t know how you could stand using the default one.
Another thing I had is that when you’re moving the mouse pointer around the screen, it slows down to a crawl when you get near a button, even if it wasn’t the one you inteded to click on – ARRRRRRRRGGGGGHHHHHHH!!!! They’ve usually got the machine locked down pretty tightly so I’ve never been able toa ccess the mouse settings (or else couldn’t find it), but I would HOPE you could turn this behavior OFF!!
“The reason the Mac has no spyware is because it’s so insignificant, not due to some magical security of MacOS X.”
No. The reason is that Mac OS X runs on top of BSD UNIX. And BSD UNIX is known for being a VERY secure OS. It doesn’t have the thousands of built in security flaws that Windows does. It has nothing to do with how many people are using it.
For example. It doesn’t matter how many people have a grade A lock for their house compared to how many people have a grade D lock. A being best and … well, F being worst. It doesn’t matter which most people buy. Grade D locks will always be, security wise, not as good of a lock as a Grade A lock.
It’s a lot more than a matter of opinion where Apple and Windows are as far as security grades. I used to laugh my head off when NT only met C2 govt security specs when it no way to communicate outside of its own box. Meaning no network, phone, or other connection. Of course XP is better. How much better? Certainly not grade A or B or viruses, worms, and direct attacks wouldn’t succeed so often.
“I’m wondering as to which audio editing app you speak of?”
<a href=”http://www.apple.com/logic/“>Logic software was regarded as the epitome of audio editing applications for WIndows and then Apple bought them out and cut off WIndows development… (Linux development still continues however)
I personally think that MACs are fine for daily routine tasks such as email, word processing, etc and are more secure than Windows because of their architecture. Microsoft often fuses “outside” applications such as Internet Explorer with the kernel, making it more vulnerable to viruses and spyware. However, it is also true that MAC has a constrained developer community. MAC programming is not as big a business as Windows programming or Linux programming. This may be ONE of the reasons why viruses have not yet been developed for MACs.
I just don’t understand why the single button mouse is even an issue… Why does it need to be brought up?
Two reasons:
1. A Mac is an expensive machine with aesthetic appeal being one of its big selling points.
In other words, some of us who shell out for Macs want a matching multibutton mouse included.
2. Laptops’ track pads are not interchangeable.
The whole argument about using one mouse button stems from the fact that Windows REQUIRES 2 buttons to be productive.
This is not true at all.
To use only one button would be to limit your capabilities.
It limits your efficiency, just like it does on OS X.
They tackled the problem of needing a modifier button by refining the OS in such a way that using a single mouse button would make you more productive.
No, they didn’t. A two button mouse on OS X is “more productive” than the single button + keyboard, simply because it gives you the option of using *either* the mouse and the keyboard or the additional button, depending on the situation.
Of course Windows users won’t understand this unless they actually use OS X and also do away with their biases beforehand.
I use OS X extensively. It’s much more usable with a multibutton mouse.
A rather large proportion of OS X users agree – multibutton mice are one of the most popular aftermarket purchases for Macs.
I use a wireless eight button Logitech MX700 mouse and a Logitech wireless keyboard.
What do I do with the eight buttons?
1 – left click
2 – right click
3 – wheel button (open link in new tab – works in almost any app to open new tab in Safari or Firefox)
4 – thumb back button – webpage back to previous page
5 – thumb forward button – webpage forward button
6 – quickswitch button – to quickly switch (like alt-tab) between programs
7 – cruise up button (in front of webwheel) scroll up in all apps
8 – cruise down button (in back of webwheel) scroll down in all apps
As you can see – multiple button mice work very well with Macs. Dell mice are crap too. So are the MS mice that come with Gateway computers. I replace them just like with my Mac. Get over it. Same with keyboards.
That argument doesn’t hold up however because it would mean that Apache would have more exploits than Microsoft’s servers as a result of being more popular… but they don’t.
No, it wouldn’t. You are comparing apples to oranges.
Apache continually proves to be more secure.
Funny, I seem to recall someone here posting numerous links showing that comparisons between current versions of Apache and IIS have Apache *far* in the “lead” when it comes to exploits.
Although the obscurity argument does weigh into the picture to some degree… the reason why OS X is more secure than WIndows is because OS X does not ship with any ports open by default while WIndows ships with several on.
The vast bulk of malware and malicious code doesn’t get in via open network ports.
Quite a bit of difference between a BUNDLED browser and INTEGRATED browser. Safari is BUNDLED with Mac OS X, while IE has been INTEGRATED into Windows.
Safari (and its “integrated” OS component, WebCore) are the same (architecturally) as IE.
It doesn’t have the thousands of built in security flaws that Windows does.
For example ?
It has nothing to do with how many people are using it.
It has a *lot* to do with how many people are using it. MOre than anything else, these days.
For example. It doesn’t matter how many people have a grade A lock for their house compared to how many people have a grade D lock. A being best and … well, F being worst. It doesn’t matter which most people buy. Grade D locks will always be, security wise, not as good of a lock as a Grade A lock.
So if 99 out of every 100 houses has a “Grade A” lock and only 1 out of every 100 houses have a “Grade D” lock, which type of lock do you think is going to be involved in the larger number of breakins ?
Which type of car gets stolen more often – the type that 99% of the population owns or the type that 1% of the population owns ?
Which virus is more likely to be widespread – the one that can affect 99% of the population or the one that can only affect 1% of the population ?
I used to laugh my head off when NT only met C2 govt security specs when it no way to communicate outside of its own box.
It’s the only way *anything* met C2, because C2 didn’t say anything about network connectivity.
How much better? Certainly not grade A or B or viruses, worms, and direct attacks wouldn’t succeed so often.
No OS can stop users deliberately running malicious code.
Another thing I had is that when you’re moving the mouse pointer around the screen, it slows down to a crawl when you get near a button, even if it wasn’t the one you inteded to click on
I loathe the default mouse acceleration setting too. I actually use a program called USB overdrive to turn it off. The microsoft mouse drivers have their own acceleration setting that is more like windows too.
I just don’t understand why the single button mouse is even an issue… Why does it need to be brought up?
Since I’ve never used a Mac I can’t comment on the effect not having 2 buttons has, but I do know that I get extremely irritated when I don’t have a mouse wheel to scroll with. However, as others have pointed out, one can always buy a mouse with scroll wheel from an alternative source so I agree that it’s a non-issue.
The mouse thing is old and not an issue. If you buy a mini which is the new switcher machine just take one from you PC and plug it in. Buy any keyboard or mouse that you want. MS and Logitch make the best. No problem at all.
“Given their record in the security area, I don’t know why anybody would buy from them,” the former White House cybersecurity and counterterrorism adviser said yesterday, when asked for his thoughts on Microsoft’s forthcoming line of security software.
http://seattlepi.nwsource.com/business/212437_rsaclarke17.html
I’ll keep my Mac and worry about “concept viruses and vulnerabilties”
A Mac is exactly the reason why my gaming PC is virus free despite not running any virus software.
I agree that for some applications Windows in a “necessary evil” like a VHS player. I still have a VHS tape player because clients still give me information on VHS tapes, but I don’t own a single tape myself. I have switched to the better DVD technology as have many people which is why DVD’s have reached critical mass and content is being released on them more quickly than on VHS.
The same thing will happen with computers, IF people who don’t actually NEED Windows machines stop buying them and buy Macintoshes instead. Then, all those vertical market applications will be built initially for both platforms and then solely for the Macintosh.
The demand will create the market for vertical Macintosh software as well.
I have an office full of Macs, but we have one piece of software that is Windows only so we have one XP server that serves this one application which we access through MS Remote Access from our Macs. It’s actually a much faster solution than VPC.
No OS can stop people from running malicious code, but the difference is that Windows often runs apps as administrator – it requires it in many case – while OS X runs apps with no such priveleges unless the user specifically allows it. A user must deliberately allow malicious code to affect their system.
Generally in OS X, you create an admin account and a user account. You spend nearly all your time in the user account, only switching to admin for installs. In the user account, nothing can touch the system files without you entering a password.
The root account is disabled, and as a test I’ve been running OS X for nearly a year on my iBook without enabling it. I don’t actually need it for Office, development, games or Internet use.
It’s more secure out of the box because BSD Unix was designed that way from the start and Apple paid attention to security when they implemented it.
If the other explanation was true – security through obscurity – then why don’t we have a single OS X virus? We’ve had a couple of theoretical trojans and some methods of running malicious code which still require a password unless you’re in an admin account (the Safari exploit), but we have *zero* viruses.
I’d have expected at least one virus writer to look for the notoriety of creating the first true OS X virus, but we’ve got nothing. Not one. That won’t last forever, perhaps (Unix viruses have existed in the past), but if security through obscurity was true then we should have a few by now.
OS X is just more secure by default. The work you need to do in Windows to secure it is already done in OS X. That’s a real difference.
“No OS can stop people from running malicious code, but the difference is that Windows often runs apps as administrator – it requires it in many case – while OS X runs apps with no such priveleges unless the user specifically allows it. A user must deliberately allow malicious code to affect their system.”
EXACTLY Gary!
Thats what a lot of Windows users commenting on Mac security fail to realize. You just can’t install software on MacOSX with out authenticating with the OS who you are and even logged in as an admin you STILL cannot install software until you authenticate. You have to actually give that code or installer permission to execute.
No OS can stop people from running malicious code, but the difference is that Windows often runs apps as administrator – it requires it in many case – while OS X runs apps with no such priveleges unless the user specifically allows it.
No, *USERS* “often run things as Administrator”. Quite a lot of *DEVELOPERS* also write bad code that – at first glance – needs to be run in an Administrator context (but usually with minor tweaking doesn’t).
*Windows* only does what you tell it to – it won’t “run apps as Administrator” unless the user tells it to. It’s quite possible to happily run a Windows machine as a regular user, only raising privilege levels when necessary and for the appropriate programs (just like OS X or unix). I’ve been doing it for ~9 years now.
Added to that, the primary reason running as a regular user in Windows is effective at all in stopping malware is because most of it is written under the assumption that users will be running as Administrator – so it tries to write to parts of the system it otherwise couldn’t. Once malware authors modify their wares so that the malware doesn’t try to do this, it won’t be much of a defence anymore. Expect this to start happening over the next few years.
A user must deliberately allow malicious code to affect their system.
As they must on current versions of Windows.
Generally in OS X, you create an admin account and a user account. You spend nearly all your time in the user account, only switching to admin for installs. In the user account, nothing can touch the system files without you entering a password.
And users would never just type in a password when the prompt pops up, would they ?
Not to mention users – without authenticating – can happily copy stuff into /Applications.
Not to mention users – without authenticating – can happily configure programs to start when they login.
Not to mention all those parts of the OS X filesystem that are writable – without authentication – to members of the “admin” group, like /Applications (ie: the default first user).
The root account is disabled, and as a test I’ve been running OS X for nearly a year on my iBook without enabling it. I don’t actually need it for Office, development, games or Internet use.
The root account being “disabled” is so incredibly irrelevant that the only people who try to make it sound important are the ones who don’t understand.
Go to a Terminal prompt (as the default new user in the Admin group). Type in ‘sudo bash’. Type in your password. You are now root. You can now do everything that you think having “root disabled” stops.
It’s more secure out of the box because BSD Unix was designed that way from the start and Apple paid attention to security when they implemented it.
Unix wasn’t “designed” (particularly with regards to security) at all – it was “evolved”. NT has had *far* more “design” put into with regards to security than unix.
If the other explanation was true – security through obscurity – then why don’t we have a single OS X virus? We’ve had a couple of theoretical trojans and some methods of running malicious code which still require a password unless you’re in an admin account (the Safari exploit), but we have *zero* viruses.
Because no-one bothers to write them. What’s the point in 0wning machines representing about 1/100th of the internet ? What chances has your trojan or worm got of propogating if it can only find a *potential* victim every 100th machine it scans ?
I’d have expected at least one virus writer to look for the notoriety of creating the first true OS X virus, but we’ve got nothing. Not one. That won’t last forever, perhaps (Unix viruses have existed in the past), but if security through obscurity was true then we should have a few by now.
Those “theoretical” viruses ? That was the “notoriety” thing you’re talking about.
OS X is just more secure by default. The work you need to do in Windows to secure it is already done in OS X. That’s a real difference.
Most of the ways OS X is “more secure by default” really aren’t that important. Not to mention most of them are also true of current versions of Windows.
1. A Mac is an expensive machine with aesthetic appeal being one of its big selling points.
Yet no more expensive than a comperably equipped PC
One of the biggest problems with Windows XP is that when you have a new install or OEM install, unless you go back and make a change every account you add when you first start up your machine is an admin.
The installer does not tell you this or tell you how you can change it.
As and admin in Mac OSX the one simple thing I love is that to do most distructive tasks you have to put in a password which gives you some pause before you complete the task. Also the admin accounts do not have 100% the permission level of the root account which is off by default. In Windows the admin accounts have the exact same permissions as the built in local admin account.
Another thing is how simple applications need to run as admin in Windows. I installed a game (Monopoly to be exact) And I could not run it as a regular user or as a power user! Plain stupid!
Here is the other funny thing. You would think some one would write worms or viruses for OSX just to disprove the fact that OSX is super secure. Yet no one has done this??? Also I don’t think Windows machines get attacked more because there are more machines out there. I think they get attacked more because there are more insecure machines out there then any other OS. And even if there were as many Macs out there that there would be more secure Macs then Windows machines just based on the default configureation out of the box.
And yes I know that you can right click on an application exe in windows and then choose to run as a different user. (That would mean you would have to give that account info to each user on the machine)
My girlfriend was the one who wanted to run that in her account which was a regular account. She knew nothing about right clicking and choosing to run as an admin. You should be able to double click an app and it should ask you who you want to run it as instead of beeping at you for trying to run it as a regular user.
Ether way it was just a dang game. It should be able to run as a regular user in it’s own memory space etc.
If users enter their admin passwords willy-nilly, then no-one can help them. I’d think most people would think twice about entering a password when they’re reading email, looking at the web or opening what appears to be a file by double-clicking on it. At some level, you can’t completely secure a system for all users. Some responsibility must be on the users, but not all, and the system should allow for users who don’t know much about security.
If Windows users must deliberately allow execution of malicious code, why do we see the propagation of viruses and malware on Windows? My understanding is that these things generally spread without the express permission of the users involved.
Users can’t write to /Applications without entering an authentication password. Or at least, that’s the way my Mac works. I’m not in front of it, but every time I drag a new app there (in my user account) I must enter a password. Same with any folder outside my user one.
Any user can start any executable upon login. I have iTunes and iPulse starting with my user account. Is your point that something could install a startup app (such as a keylogger) without my knowledge? If that happens (and I’ve seen no exploit that indicates it can, although I imagine an AppleScript could do it), then what’s to stop me turning it off? I can see the executables that start upon login in a nice list in the Control Panel, after all. Even hidden ones are listed clearly, and can be removed.
The root account is not so irrelevant if you want to alter system level files that affect all users. You can do some damage with admin access, but you need root access to completely hose OS X. I’ll try the sudo bash from my admin account when I get home. Can it be done from a script or an application without alerting the user? And if I’m in my user account, can it be done at all?
The theoretical trojans (not viruses) were discovered by security companies. That’s not so much notoriety as advertising, but I take your point. I also have to concede that a specifically OS X virus might have a harder time of finding other Mac users out there. Still doesn’t explain why none exist yet, even if they don’t spread so well, but perhaps any potential virus-writers have the forethought not to bother.
I’m not exactly a starry-eyed believer in OS X security, but when you compare a new user on OS X to a new user on Windows, I’m certain that the Windows user will suffer attacks and exploits far more than the OS X user. Having to manage your own security is fine if you know what you’re doing, but the vast bulk of people don’t care that much and they shouldn’t have to. They expect and assume a level of security, just like people do with car safety. They shouldn’t be expected to have to continually maintain it.
Thats what a lot of Windows users commenting on Mac security fail to realize. You just can’t install software on MacOSX with out authenticating with the OS who you are and even logged in as an admin you STILL cannot install software until you authenticate. You have to actually give that code or installer permission to execute.
Any user in the admin group can write to /Applications (along with other places). While many installers authenticate, very few of them *need* to.
polar:~ drsmithy$ ls -la / | grep Applications
drwxrwxr-x 29 root admin 986 16 Feb 22:03 Applications
polar:~ drsmithy$
Any code run by a user in the admin group can copy stuff into /Applications.
Any code run by a user in the admin group can set programs to start on login.
Any code run by a user in the admin group can make outgoing network connections.
Any code run by a user in the admin group can modify that user’s data.
Yet no more expensive than a comperably equipped PC
That depends entirely upon what you consider “comparably”.
As and admin in Mac OSX the one simple thing I love is that to do most distructive tasks you have to put in a password which gives you some pause before you complete the task. Also the admin accounts do not have 100% the permission level of the root account which is off by default. In Windows the admin accounts have the exact same permissions as the built in local admin account.
Admin accounts in OS X and Windows are not equivalent. A *rough* equivalent to the OS X “admin” group is the Windows “Power User” group.
Another thing is how simple applications need to run as admin in Windows. I installed a game (Monopoly to be exact) And I could not run it as a regular user or as a power user! Plain stupid!
This is wholely and solely the fault of the software developer. There’s not much Windows/Microsoft can do about developers writing bad code.
My girlfriend was the one who wanted to run that in her account which was a regular account. She knew nothing about right clicking and choosing to run as an admin. You should be able to double click an app and it should ask you who you want to run it as instead of beeping at you for trying to run it as a regular user.
This facility exists in Windows. The problem, as usual, is developers not taking advantage of it.
Ether way it was just a dang game. It should be able to run as a regular user in it’s own memory space etc.
And it almost certainly will with only minor tweaking. Most likely, it’s trying to write to either its own program directory or to system-wide parts of the registry.
“Memory space” has nothing to do with anything, I have no idea why you bring it up.
If users enter their admin passwords willy-nilly, then no-one can help them. I’d think most people would think twice about entering a password when they’re reading email, looking at the web or opening what appears to be a file by double-clicking on it.
Firstly, most won’t think at all.
Secondly, there’s little reason to think they ever would get a password prompt for most forms of malware attacks.
At some level, you can’t completely secure a system for all users. Some responsibility must be on the users, but not all, and the system should allow for users who don’t know much about security.
Windows *does*. The problem is *software developers* not using the facilities available to them.
If Windows users must deliberately allow execution of malicious code, why do we see the propagation of viruses and malware on Windows? My understanding is that these things generally spread without the express permission of the users involved.
Because users are more than happy to run programs in emails or click “OK” when their browser prompts them to install things.
Users can’t write to /Applications without entering an authentication password. Or at least, that’s the way my Mac works. I’m not in front of it, but every time I drag a new app there (in my user account) I must enter a password. Same with any folder outside my user one.
I have a freshly installed iBook here (10.3.8) and I can drag anything I want into /Applications. I’ve even posted the unix directory permissions in another message that show /Applications if group writable to “admin”.
Is your point that something could install a startup app (such as a keylogger) without my knowledge? If that happens (and I’ve seen no exploit that indicates it can, although I imagine an AppleScript could do it), then what’s to stop me turning it off? I can see the executables that start upon login in a nice list in the Control Panel, after all. Even hidden ones are listed clearly, and can be removed.
But only if you’re *looking*.
Most people who are infected don’t know it, and hence won’t be looking.
The root account is not so irrelevant if you want to alter system level files that affect all users. You can do some damage with admin access, but you need root access to completely hose OS X.
‘sudo [whatever]’ runs [whatever] as root.
I’ll try the sudo bash from my admin account when I get home. Can it be done from a script or an application without alerting the user? And if I’m in my user account, can it be done at all?
Only from admin accounts, because only admin accounts can sudo.
Still doesn’t explain why none exist yet, even if they don’t spread so well, but perhaps any potential virus-writers have the forethought not to bother.
Because there’s not enough benefits to offset the cost. Even in *ideal conditions* an OS X virus/worm/whatever would spread far slower, affect far fewer computers and be much, much easier to isolate.
I’m not exactly a starry-eyed believer in OS X security, but when you compare a new user on OS X to a new user on Windows, I’m certain that the Windows user will suffer attacks and exploits far more than the OS X user. Having to manage your own security is fine if you know what you’re doing, but the vast bulk of people don’t care that much and they shouldn’t have to. They expect and assume a level of security, just like people do with car safety. They shouldn’t be expected to have to continually maintain it.
About the only way OS X has a better config out of the box now is with Windows users defaulting to Administrator. I can certainly understand – given the plethora of poorly written software that appears to require it – why Microsoft chose to configure this as the default. Hopefully it will change in Longhorn.
drsmithy wrote…
Any code run by a user in the admin group can copy stuff into /Applications.
Any code run by a user in the admin group can set programs to start on login.
Any code run by a user in the admin group can make outgoing network connections.
Any code run by a user in the admin group can modify that user’s data.
…
All of which underlines why you create an admin user for doing stuff like that, but run your everyday stuff from a non-admin user account. Admin users have certain priveleges – that’s why they’re called ‘administrators’. In response:
No code run by a user outside the admin group can copy stuff into /Applications.
No code run by a user outside the admin group can set programs to start on any other user’s login. I haven’t seen code yet that will set an executable to run on your own login, but it’s probably possible. In fact, no user except root can even *look* at another user’s documents let alone alter them.
Any code run by any user in any group can make outgoing network connections. That allows us to connect to the Internet, other computers and so on. This is generally a good thing. The even better thing is that there’s a firewall that’s easy to configure which can block certain types of outgoing and incoming traffic.
Any code run by any user in any group can modify that user’s data and only that user’s data (except the root user). That’s sort of handy though, because that’s what enables applications to save files. We want that behaviour!
OS X is generally very secure. Is that so hard to accept?
>>All of which underlines why you create an admin user for >>doing stuff like that, but run your everyday stuff from a >>non-admin user account. Admin users have certain >>priveleges – that’s why they’re called ‘administrators’.
yeah but then the same thing can be said of Windows. the obvious problem is that in windows no one actually does this because they are lazy, have no idea what it means, or are aware but are willing to take their chances.
now I’ve never installed OSX so i don’t know how much it pressures you to make a seperate user account, but it seems like the “web browsing and email” school of computer users would just gloss over that trying to get to their desktop, much like they do in windows.
[quote]
The root account being “disabled” is so incredibly irrelevant that the only people who try to make it sound important are the ones who don’t understand.
Go to a Terminal prompt (as the default new user in the Admin group). Type in ‘sudo bash’. Type in your password. You are now root. You can now do everything that you think having “root disabled” stops.
[/quote]
What is your point? That it is possible to activate root priviliges on a Mac? Of course it is, if you know the admin password.
I think the original poster’s point is valid. If you do a default install of Windows, setting up only one user account, it will be the administrator (root equivalent on Windows) account. MacOS X does not do this. Even the Admin account on OS X is not a root account, it is just an account that can run certain software installations and tweek certain configuration settings.
That is, inherently, more secure. Of course, the best way of securing the computer is to put no ports on it, give it no access to the internet, and put no removable media drives in it, wrapping the whole thing in a welded steel box straight from the factory. Of course, the utility of such a computer might also be compromised. The point is, it is possible to make a machine ship from the factory with more security than Windows has without compromising usability of the machine.
“Windows *does*. The problem is *software developers* not using the facilities available to them. ”
Yeah, stupid developers, not taking advantage of all the security goodies MS put in Windows. Who the hell developed that bug ridden, security black hole Internet Explorer, anyway?
Oh yeah, Microsoft.
Safari (and its “integrated” OS component, WebCore) are the same (architecturally) as IE.
WebCore is a library, KWQ is he connetor to MacOS X. It is NOT and OS component, definately not like IE. Infact Apple discourages deverlopers from using webcore directly.
http://developer.apple.com/darwin/projects/webcore/
“WebCore is a framework for Mac OS X that takes the cross-platform KHTML library (part of the KDE project) and combines it with an adapter library specific to WebCore called KWQ that makes it work with Mac OS X technologies. KHTML is written in C++ and KWQ is written in Objective C++, but WebCore presents an Objective C programming interface. WebCore requires the JavaScriptCore framework.
……….
It is not a good idea to use WebCore directly for browser development or HTML display on Mac OS X. The WebCore SPIs are fragile, incomplete and bound to change. Apple will soon release a public API based on the WebCore engine. We recommend waiting for this forthcoming API.”
So if 99 out of every 100 houses has a “Grade A” lock and only 1 out of every 100 houses have a “Grade D” lock, which type of lock do you think is going to be involved in the larger number of breakins ?
This is not a particularly good analogy. Thieves, unlike hackers/crackers, are visible to the naked eye and thus prefer an easy break-in and would go for the house with the weakest lock.
Which type of car gets stolen more often – the type that 99% of the population owns or the type that 1% of the population owns ?
Cars most of the population own usually are cheaper and have very low quality security systems by default. My BMW is far more difficult, almost impossible, drive a way with without the key. Cvics and Corollas aren’t.
These two examples are not very relevant to the discussion of computer decurity.
WebCore is a library, KWQ is he connetor to MacOS X.
Should have said. Wecore is the khtml library and kwq it’s connector to MacOS X.
No OS can stop users deliberately running malicious code.
Yes it can. All an OS needs to do is makes sure everything that executes on it is signed and unsigned stuff never executes.
No OS can stop users deliberately running malicious code.
Yes it can. All an OS needs to do is makes sure everything that executes on it is signed and unsigned stuff never executes. One would have to go to a trusted source to get a certificate.
Unfortunately said OS wouldn’t be too popular.
‘sudo [whatever]’ runs [whatever] as root.
sudo requires you to type a password. So rogue code can’t just exec sudo [whatever] and get root access.
I said…
>>All of which underlines why you create an admin user for >>doing stuff like that, but run your everyday stuff from a non-admin user account. Admin users have certain priveleges – that’s why they’re called ‘administrators’.
Anonymous said…
>>yeah but then the same thing can be said of Windows. the obvious problem is that in windows no one actually does this because they are lazy, have no idea what it means, or are aware but are willing to take their chances.
>>now I’ve never installed OSX so i don’t know how much it pressures you to make a seperate user account, but it seems like the “web browsing and email” school of computer users would just gloss over that trying to get to their desktop, much like they do in windows.
My only response is touche. That’s a really good point, and OS X doesn’t pressure you to create a seperate user account for admin functions to the normal day-to-day account. It should (I believe), or maybe create an admin account automatically and then let you create your own user accounts.
It’s not perfect by any means, but I maintain that it’s very good by default.
Infact:
sudo ls /
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
The bottom line is being admin on any platform means the user has to be extra cautious. With great power comes great responsibility as Unlce Ben would say
But MacOS X does take more precautions on behalf of the user than Windows XP does. But no OS that ordinary consumers can use would be successful if it put too much restrictions on the user.
Most users don’t understand the need for a username and password because they have been taught for more than a decade that a PC didn’t require a password and username. It will take about that long for them to unlearn that.
So we have to accept that users can’t be blamed and desgin and implement better systems. Doing that is much easier than teaching every user out there security and computer science.
“Any code run by a user in the admin group can copy stuff into /Applications.
Any code run by a user in the admin group can set programs to start on login.
Any code run by a user in the admin group can make outgoing network connections.
Any code run by a user in the admin group can modify that user’s data. ”
Well of course if your admin account credentials have been compromised either locally or remotely your box is owned but as a general rule programs in MacOSX don’t just run amoke without authentication credentials of an admin account. As a safeguard and has been mentioned a standard User account can be enabled addressing a lot of the issues you mentioned but I also understand that a majority of MacOSX systems are running admin accounts by default.
MacOSX has had a good track record regarding security fixing vulnerabilities in a timely fashion and fixing some before they are even discovered.
All the same maybe MacOSX should tell you to create an Admin and regular User account.
What is your point? That it is possible to activate root priviliges on a Mac? Of course it is, if you know the admin password.
That’s exactly my point. A rather large proportion of the Mac community seems to think the root account being “disabled” means you can’t get “root access” (just look at the number of articles there are on “enabling” it, despite the pointlessness of doing so).
Yeah, stupid developers, not taking advantage of all the security goodies MS put in Windows. Who the hell developed that bug ridden, security black hole Internet Explorer, anyway?
Which “security goodies” don’t you think IE is using ?
That’s exactly my point. A rather large proportion of the Mac community seems to think the root account being “disabled” means you can’t get “root access” (just look at the number of articles there are on “enabling” it, despite the pointlessness of doing so).
That’s news to me. I don’t think a large portion of the Mac community thinks that. They think not having the root user enabled by default is a good thing. Which is quite different.
The number of articles showing you how to enable root access are for those who mainly come from a unix/linux background where having root access is akin to being God on the system. The search for that power, so to speak is not the norm for the Mac community by any means.
As I poined out being able to sudo as and admin user is not a big security hole.
QUOTE: “there is little or no known spyware for the Mac.”
Mossberg — when you write this stuff then surely you should actually know whether there is any spyware?
From what I have just read- one can say that there a number of people who are ignorant to the Macintosh platform and its related technologies; and that there are many people who refuse to accept that XP systems are inherently insecure systems :/
Only from admin accounts, because only admin accounts can sudo.
The admins evidently don’t need sudo (they are after all admin).Sudo is meant to selectively elevate the credentials an app will run with.The MS equivalent is runas,why would an admin use runas where he/she allready has full access to everything?
Unless you want to temporarily “downgrade” your credentials.Than again why openup everything up first and than close everything to the point you are satisfied.In my opinion it’s better and faster to close everything first and than open or provide access to only the services one absolutely can’t co without,aka runas used by selected limited user(s).
WebCore is a library, KWQ is he connetor to MacOS X. It is NOT and OS component, definately not like IE. Infact Apple discourages deverlopers from using webcore directly.
I see you’ve been off researching WebCore so you can come back and play your silly semantics game. Good work !
It’s a shame you didn’t spend an equal amount of effort researching IE.
How is a shared library, distributed with the OS, used by parts of the OS, available for use by applications, used by applications distributed with the OS and used by third party applications, *not* an “OS component” ?
You can call WebCore (and whatever else it carries along with it to be usable) “libraries”, “components” or “pink elephants” if you want, but the simple fact is it’s a bunch of web-related software functionality distributed with OS X and available for all applications to use. Just like IE is on Windows.
It is not a good idea to use WebCore directly for browser development or HTML display on Mac OS X. The WebCore SPIs are fragile, incomplete and bound to change. Apple will soon release a public API based on the WebCore engine. We recommend waiting for this forthcoming API.”
“Don’t use it now because the API is still not mature. It will be soon and then y’all can code to it as much as you want”.
It looks like I was being too generous to Apple. They *want* to have something like IE, but they haven’t got there yet. I’m wondering if that web page is up to date, because I do remember the above being said about Safari+WebCore when the first Safari betas were released and that after it was bundled into OS X, that would be the signal the API was stable.
Seems a bit silly (bordering on irresponsible) for Apple to be distributing a library and publishing an API that’s not stable.
Interesting logic as well, by the way – apparently WebCore and IE are nothing alike because IE is already what WebCore wants to become once it grows up…
This is not a particularly good analogy. Thieves, unlike hackers/crackers, are visible to the naked eye and thus prefer an easy break-in and would go for the house with the weakest lock.
I agree it’s not a very good analogy, and the reason is because both Windows and OS X have “locks” of basically the same strength. So, the analogy is really:
“If 99% of houses have locks from Brand A and 1% have locks from Brand B, which brand would expect to be involved in more breakins ?”
These two examples are not very relevant to the discussion of computer decurity.
The trouble is stating the painfully obvious – that Windows computers are 95% – 99% of the installed base, so of *course* they’re going to be targeted and exploited more – to people who can’t look at a situation objectively doesn’t work, so we need to resort to silly analogies.
Yes it can. All an OS needs to do is makes sure everything that executes on it is signed and unsigned stuff never executes. One would have to go to a trusted source to get a certificate.
What stops malware authors getting certificates for their software (this is already happening with some sites that distribute malware, I believe) ?
Remember, a lot of the malware out there masquerades as legitimate software, or is even bundled into it (eg: Kazaa).
sudo requires you to type a password. So rogue code can’t just exec sudo [whatever] and get root access.
That wasn’t the point I was trying to make.
A lot of Mac users seems to think that since the root account is “disabled” it’s somehow impossible to attain “root privileges”. The fact that it’s trivial to do so was the point I was trying to get across. This is an error made *constantly* all over the place when talking about OS X.
So we have to accept that users can’t be blamed and desgin and implement better systems. Doing that is much easier than teaching every user out there security and computer science.
You’ve flip-flopped back to the “software should work around the user” point of view again.
[root account being disabled]
That’s news to me. I don’t think a large portion of the Mac community thinks that.
Well there’s a *shitload* of people who bring it up as some huge issue that makes OS X r0x0r. See this very thread for a tame example.
Also, refer to the number of “tweak guides”, etc, that tell you how to enable it while warning doing so is a “security hole”.
They think not having the root user enabled by default is a good thing. Which is quite different.
Very, very few of them seem to know what it actually means. In general it’s a matter of “Apple says it’s good, so it must be” (like most things).
As I poined out being able to sudo as and admin user is not a big security hole.
I’m not trying to say it’s a “big security hole”, I’m trying to say it’s irrelevant.
[…] and that there are many people who refuse to accept that XP systems are inherently insecure systems :/
That’s because they’re not.
The admins evidently don’t need sudo (they are after all admin).
Yes, they do. That’s basically what an “admin” account in OS X means – that the user is in /etc/sudoers and can ‘sudo [command]’ (and the GUI equivalent).
It’s *not* the same as an Administrator in Windows, which is more akin to root. An OS X ‘admin” is *roughly* equivalent to a Windows “Power User” who knows an Administrator password (and hence can use Run As).
Sudo is meant to selectively elevate the credentials an app will run with.The MS equivalent is runas,why would an admin use runas where he/she allready has full access to everything?
Because an ‘admin’ in OS X *doesn’t* have “full access to everything”. They have elevated access to a few things with regards to file system permissions (eg: can write to /Applications) and are in /etc/sudoers.
This is a really, really important distinction that a lot of people (both ignorant zealots on forums and supposed professionals) don’t pick up on – Windows Administrator != OS X ‘admin user’. They’re very different beasts.
From what I have just read- one can say that there a number of people who are ignorant to the Macintosh platform and its related technologies; and that there are many people who refuse to accept that XP systems are inherently insecure systems :/
XP isn’t inherently (more)insecure,at least not significantly more than any average whatever platform.XP is like pearls for the pigs, the installed base is so huge , that XP ( MS) has more security ignorant or otherwise mentally challenged (regarding information technology!) users/customers than any OS/Platform.Thus inherently there are more cases of critical mistakes,non updated/patched systems,no firewalls etc.
Security is a process with the user/admin factor making at least 50 % part of the overall equasion.The average soho user doesn’t likely check the md5sums or verify the gpg signatures of downloaded files/apps,wheras this is a healthy custom in the everything non mac/win world.A lot of windows shareware/freeware doesn’t give you the opportunity to do checksummin.
A week ago i upgraded one of my PC’s (XP-professional) with a AMD64 processor , 1024 DDR,SATA raid0 and a average FX5700 graphics card.I allways wanted to really play FARCRY,man i love that game.The motherboard comes with a hardware firewall build in the gigabyte lan chip (Nforce 3/250).My lan has a hardware statefull firewall,blocks everything and allows only a few ports to a bere minimum in whatever direction.All services on the XP box are ,again,disabled to a bare minimum which allows me to do whatever i want/need to.All registry entries that are criticall (Runonce,Run etc) and yet writable with the limited user account are set non-writable.I imported the High secure workstation policy and even went a little bit further on some points.My e-mail is collected on a different non-windows machine .I don’t game online (a lot of cheaters anyway),don’t directly read e-mail from my windows box and i allways use the limited user account, for which i made my own policies.
It takes my gaming box < 7 sec’s from a reboot to a full operational state.I love to use FreeBSD and Linux allso,but lets face it none (exept XP) doesn’t let me not choose whatever piece of hardware i want to whenever i want to.Allthough i believe OpenSource is very valueable,as said,love to play around with whatever server,there isn’t one non mac/windows that is to be considered equal for (hardcore) gamers or heavy multimedia usage.
For servers the choice is simple,no windows,no mac on publically accessible (not physical) services.For an internal network it doesn’t realy matter.
Because an ‘admin’ in OS X *doesn’t* have “full access to everything”. They have elevated access to a few things with regards to file system permissions (eg: can write to /Applications) and are in /etc/sudoers.
This is a really, really important distinction that a lot of people (both ignorant zealots on forums and supposed professionals) don’t pick up on – Windows Administrator != OS X ‘admin user’. They’re very different beasts.
That’s a security benefit than no doubt about it 🙂
MacOsX doesn’t have system processes that have full credentials aka the system account on windows?
Otherwise,similar to do everything from the limited user account with runas, except MacOSX has a greater portion of comfort and ergonomics.
That’s a security benefit than no doubt about it 🙂
Not really, it’s just a terminology (and methodology) difference.
MacOsX doesn’t have system processes that have full credentials aka the system account on windows?
Anything running as root is basically analagous to LOCALSYSTEM. On my nice, freshly installed iBook (10.3.8) there’s ~34 processes running as root.
Otherwise,similar to do everything from the limited user account with runas, except MacOSX has a greater portion of comfort and ergonomics.
Yes, OS X certainly has more software that’s well written that asks for elevated privileges when needed, rather than assuming the user will know.
seriously, aside from IE, the vast majority of the security problems Windows faces in a desktop area are stupid users downloading every attachment they get sent.
in the 9-8 years that I’ve been running on windows i’ve gotten 4 viruses, all of them my own damn fault. and since switching to mozilla two years ago, no spy ware same thing goes for my family anf friends. i’m not running a firewall and have no more protection than AVG free, all it takes is just a half second forethought before downloading something. yeah it couldn’t stand up to a direct attempt at hacking, but thats true of most things.
the 90% of users having windows means that the platform gets 90% of the blinding morons, which is what kills any attempt at security.
I see you’ve been off researching WebCore so you can come back and play your silly semantics game. Good work !
I already knew this the last time we discussed. I predicted then, what your response would be. And I am right as usual.
It’s a shame you didn’t spend an equal amount of effort researching IE.
I did and givent the lack of msdn docs on the subject with whatever little is avaiable, my conclusions haven’t changed.
How is a shared library, distributed with the OS, used by parts of the OS, available for use by applications, used by applications distributed with the OS and used by third party applications, *not* an “OS component” ?
The binary vi is also fits the description in Mac OS X. Is vi and OS component or an editor.
Without webcore the system will still boot, you can still surf the web( with alternate browsers), do your email and browse the file system. No so webcore is not an OS Compnent, it is a library certain Apps use. It is a component of the Mac OS X distribution but not an OS component. Darwin is an OS and it doesn’t contain webcore.
It looks like I was being too generous to Apple. They *want* to have something like IE, but they haven’t got there yet. I’m wondering if that web page is up to date, because I do remember the above being said about Safari+WebCore when the first Safari betas were released and that after it was bundled into OS X, that would be the signal the API was stable.
I told you, you couldn’t take a technical argument. You are turning the technical argument into a political one. We all know how much you love Microsoft and dislike Apple, We wouldn’t be having this converstation if you were a reasonable person.
How many times have they rewritten IE? and they are doing it again right.
Reality is IE has failed as a design (note mass migrations to firefox), I am glad
Seems a bit silly (bordering on irresponsible) for Apple to be distributing a library and publishing an API that’s not stable.
Not irrespondible. Considering the developers seciton of Apples site has the disclaimer warning developers not to use it. APIs are allowed to be unstable and private. Also KTML is volitile apple is warning users to wait for thier full set up of APIs that will hide the volitility. Nothing wrong with that.
Interesting logic as well, by the way – apparently WebCore and IE are nothing alike because IE is already what WebCore wants to become once it grows up…
I hope WebCore never becomes that festering pile that IE is today. Microsof t is rewriting it once again isn’t it?
Anyway, I think I have gone through enough dicussions with you to realize that you aren’t technically sound enough to understand development. You are especially in bed with Microsoft to the point that no amount of reasoning, including using Microsoft’s own documents, get’s a point across.
“If 99% of houses have locks from Brand A and 1% have locks from Brand B, which brand would expect to be involved in more breakins ?”
The answer is still lock B. Drop the analogy it won’t work.
The trouble is stating the painfully obvious – that Windows computers are 95% – 99% of the installed base, so of *course* they’re going to be targeted and exploited more – to people who can’t look at a situation objectively doesn’t work, so we need to resort to silly analogies.
Precisely the reason Microsoft should take more responsibility in making it more secure. To take the car analongy again, Honda and Toyotas are more responsible in making thier cars more reliable than BMW becuase more people buy them. The problem is Microsoft should be more like Honda and Toyota, aking thier stuff reliable and not like BMW making thier stuff more complex and whizbang.
What stops malware authors getting certificates for their software (this is already happening with some sites that distribute malware, I believe) ?
Thier certificates get revoked and the OS stops running the Apps. The certificates on your computer can always be checked against the central authroity periodically.
I am not adovocating this approach, merely stating it is do able in an OS.
A lot of Mac users seems to think that since the root account is “disabled” it’s somehow impossible to attain “root privileges”. The fact that it’s trivial to do so was the point I was trying to get across. This is an error made *constantly* all over the place when talking about OS X.
It is not trivial for a price of code to do so, because admin is not root and a buffer overflow on a process running with Admin credentials can only cause damage to stuff admin has access to. So it is very hard to get “root privileges” in OS X. I am not saying it is impossible, it is quite possible sudo has a bug that can be expolited to get aroung the password.
The bottom line is it is very very very hard.
You’ve flip-flopped back to the “software should work around the user” point of view again.
No, Software should be designed and implemented in a way that no matter what a user does without tought and malicious intent can’t harm them or the system. All I am saying is make software good enough so that security holes are much much less of a problem so there is no need to be worried about users doing stupid things.
Cars now a days have protection features, like BMW transmissions ( automatic and SMG) are computer controlled and it is impossible to mechanically over rev the enigne, with a money shift. This protects the engine and the consumer from a lot of damage. Software should be similar.
The user can click away to glory mindlessly wihtout Adminstrators wetting thier pants. It is possible to design an software that way and is much easier than teaching 6 billion+ people about security and the nitty-gritty of computers.
Very, very few of them seem to know what it actually means. In general it’s a matter of “Apple says it’s good, so it must be” (like most things).
Like microsoft saying the same thing doesn’t hold good for you. I have had a countless arguments with you, where you said the same thing ” microsoft says it is good”, or ” what they meant was”. You are no different than those you accuse, you are just guilty of it with Microsoft.
It is a tongue-in-cheek article.
Joy of Tech got it right <http://www.geekculture.com/joyoftech/index.html>
“This facility exists in Windows. The problem, as usual, is developers not taking advantage of it. ”
The funny thing is that Microsoft doesn’t do this in their own applications? So if these features exsist then why does Microsoft not use them on their own applications? (And games)
Looks to make like more of a short coming in Windows then a problem with developers.
Also why doesn’t Microsoft close those loop holes in the OS so that developers can not go out side of set parameters! Make is so that applications have to run in a secure fashion!
Mac Sys.+OS X=$5000+
PC+Linux distro=well I already have a PC so a free download or a boxed disto $for $40-$80
Which on do you choose?
Wrong analogy. How about a $500 Mac Mini as an admitedly low end server, OS included free, Apache free for download? Add some extra RAM and $600 vs 40-80 doesn’t look so bad.
But this is silly; you are probably NOT the target audience for the Mini.
Mac Sys + OSX = well I already have a Mac, so a New copy of tiger = 129 (when it is released)
i386Box + Linux = Well I already have a PC so a free download or a boxed distro for 40-80.
Which one do you choose?
OBVIOUSLY, The Macintosh.
Get out.
Why do they need separate apps for dealing with spyware and/or malware? Why isn’t that protection simply built into the OS in the first place? What is a company like Norton or McCaffee able to do for Windows that MS can’t do?
It’s like have a window, and deciding the window is too fragile, so you put a grate over it or some metal bars. What if the window was bullet-proof, shock resistant, etc. in the first place?
http://joyoftech.com/joyoftech/joyarchives/652.html
Why do they need separate apps for dealing with spyware and/or malware? Why isn’t that protection simply built into the OS in the first place? What is a company like Norton or McCaffee able to do for Windows that MS can’t do?
Because most of the things malware does, in and of themselves, are not “bad”.
Because identifying whether something is malware is not Microsoft’s responsibility (there were a lot of people whinging on /. because VNC was identified as a “possible problem”, for example).
Because bundling more functionality into the OS that the customer wants always seems to land them in court.
Regarding IE 6, recall how much effort MS made during its anti-trust trial to show that IE was an integral and inseparable part of the OS. It’s really like the creature in Alien, with tentacles wrapped throughout the OS. Then, add crappola like ActiveX Controls and you have a turgid recipe for malware that exceeds anything Mac users have experienced with any Mac browser. And, it cannot be overstated that most folks run as Admin in XP…the equivalent of root on Panther. Virtually no Mac users I know have any need to enable Root. There’s a reason why Richard Clarke uses a PowerBook, and it has little to do with ‘security by obscurity.’
“Because identifying whether something is malware is not Microsoft’s responsibility.”
Why not? This doesn’t answer the question. And again, this applies to all OS makers. Why shouldn’t it be their responsibility? Why should we need third party apps to do the things that the OS itself could do?
“Because bundling more functionality into the OS that the customer wants always seems to land them in court.”
This might be true, but if it’s an integral part of the OS rather than being billed as MS Anti-Spyware, I don’t see why it couldn’t be done.
“If you love Microsoft Outlook…”
There are people who love Outlook?
“Because identifying whether something is malware is not Microsoft’s responsibility.”
Why not?
Can you say “lawsuit” ? Because that’s what’ll happen as soon as someone’s software gets identified as “malware” and blocked by Windows.
This doesn’t answer the question. And again, this applies to all OS makers. Why shouldn’t it be their responsibility?
Because it’s the OS developers job to provide and OS for running applications. *Which* applications it runs is up to the person using it.
Why should we need third party apps to do the things that the OS itself could do?
Dunno. Why should we have to buy Office suites, image editors and CAD programs when “the OS itself could do” it ?
This might be true, but if it’s an integral part of the OS rather than being billed as MS Anti-Spyware, I don’t see why it couldn’t be done.
Didn’t work with IE or WMP.
Realistically speaking, it would be pretty easy to write spyware for MacOS X.
The interfaces to stuff are pretty well documented, and it’s really easy to hide your app. Just stick it in some folder way down the hierarchy somewhere. Or just add it to .hidden, and slip a line of shell into one of the system’s startup items.
Lots of things have kexts that patch the system. Apple even has sample code that shows you how to insert your kext into the network stack.
The main reason there isn’t a lot of spyware, probably is there aren’t any Mac programmers willing to do the work…at any price.
So in that sense, people are right – there’s no spyware because there’s no market. You won’t find a lot of remote exploits (my firewall has megs of logs of people poking my system, looking for Windows holes), but spyware, well, it’s probably coming someday.
Can you please send me a link that talks about one virus that has infected more than 1,000 MAC computers running MAC OS X 10.2 or newer? Thanks.
“Can you say “lawsuit” ? Because that’s what’ll happen as soon as someone’s software gets identified as “malware” and blocked by Windows.”
So then Lavasoft regularly gets sued?
“Dunno. Why should we have to buy Office suites, image editors and CAD programs when “the OS itself could do” it ?”
Not the same thing. YOu’re talking completely different applications. I’m talking an improvementon security features that are already a part of it. OSes already implement some security features so why not THESE security features?
“Didn’t work with IE or WMP.”
Maybe because they were called “Internet Explorer” and “Windows Media Player”. What if they didn’t have names, separate logos, icons..what if they just were part of the OS? You put in a CD and it just plays. You click on a link in your email and the page opens up in Windows Explorer (as opposed to having a separate program called Internet Explorer). What if they’d have added this functionality to Windows Explorer BEFORE Netscape ever came out?
I haven’t felt like reading 94 comments, and you can call me a boring old fart for what I am going to write…
For me the equation is always the same: Are you fed up with Windows, virii, spyware, activations…
There are two ways out:
1)Buy (expensive) new hardware and new software: the Mac solution.
2)Keep your hardware and download a free OS, with all the necessary apps included, from the internet: the Linux solution…
Unless you are really keen on trying a Mac (as I am). In which case a Mini could be good enough to satisfy your appetite. (they know it and that is why they created the Mini)
>And again, this applies to all OS makers. Why shouldn’t it be their responsibility? Why should we need third party apps to do the things that the OS itself could do?
I wonder if one of Linux advocates will take a challenge of answering this question?
Why protecting us from rootkits is not Linus’ responsibility?
Why should we need third party apps like tripwire to do the things that the OS Linux itself could (or should) do?
Why protecting us from rootkits is not Linus’ responsibility?
Linus us responsible for the kernel, linux is a kernel. If the root kit expolits a bug in the kernel to do it’s thing, It becomes linus’ responsbility to fix it in the mainline tree.
If it is the userland then the company or group that assembled the distro.Similarly is redhat introduced the bug in a fix they put in thier version of the kernel it is thier responsibility.
Why should we need third party apps like tripwire to do the things that the OS Linux itself could (or should) do?
The linux kerenl having functionality like tripwire would be considered bloat. You want the kernel to have as less bloat as possible. Less code less bugs.
The issue here is Apple and Microsoft are the single point of release for thier respective Oses (kernel and userland tech). So the responsibility lies on them. Linux has too many different facets to pin the blame on one person, like say linus. Unless of course he introduced the bug in the first place or took a change into the main tree that did.
Cars now a days have protection features, like BMW transmissions ( automatic and SMG) are computer controlled and it is impossible to mechanically over rev the enigne, with a money shift. This protects the engine and the consumer from a lot of damage. Software should be similar.
Not quite,it is not solely a matter of protecting both the customer and the lifetime of the engine.Here in Europe the big three (Audi,BMW,Mercedes,…) have agreed on a non binding 250 km/h limit.This limit doesn’t mean much for your average 316,but for the coming M5 it does.Now with a laptop and the right software you could easily disable this topspeed limit while the rev referential fit remains the same.
Not quite,it is not solely a matter of protecting both the customer and the lifetime of the engine.Here in Europe the big three (Audi,BMW,Mercedes,…) have agreed on a non binding 250 km/h limit.This limit doesn’t mean much for your average 316,but for the coming M5 it does.Now with a laptop and the right software you could easily disable this topspeed limit while the rev referential fit remains the same.
This si way off topic, but I’ll indulge. I was talking about the fact that the transmission won’t execute a downshift if the result would overrev the enigne into damage. What does that have to do with top speed of 155 miles per hour electronic governor?
You can also flash the ECU software to disable that feature, But that is no different than a user turning off passwords and running as administrator. The car would still function but there won’t be a protection for user error.
Software should be designed so that a user doing stupid things has mitigated effects. That’s all I was saying with that analogy.
This si way off topic, but I’ll indulge. I was talking about the fact that the transmission won’t execute a downshift if the result would overrev the enigne into damage. What does that have to do with top speed of 155 miles per hour electronic governor?
That’s true my bad.Although i would prefer to have the freedom to wreck anything a paid for i think it’s not good for the vast majority.