On Jul 29, 2004, at 10:33 PM, Philip Stortz wrote:
but aside from that, the real
problem with I.E. is that microsoft does not care about security, which means their products
will be grossly insecure, and being a market leader (financially at least) they are an
often attacked target (i.e. by crackers). this is not just my opinion, but also that
frequently voiced in cryptogram by bruce schneier, one of the "founders" of computer
security.
Bruce Schneier is a really smart guy; he is also a really cranky guy sometimes. ;-)
seriously, bruce is generally a very bright guy, but i have to disagree with most of his
security assertions. computer security is rightfully a field all it's own, which is why
only experts should write firewalls and encryption and other security products or at least
design the algorithms and protocols (which still need to be properly implemented, good
encryption algorithms that are poorly implemented in code can be worse than poor
algorithms well implemented, see the cryptogram doghouse of security companies selling
snake oil that doesn't and can't work).
I really don't want this to turn into a pissing match, but what bugs me is the 'sky is falling' attitude many adopt over systems security, especially by those who know enough to be dangerous.
You immerse yourself in this stuff. A lot. Because of that, it tends to crowd your world view, I think, making the forest we're looking at hidden by the trees you're seeing.
The original poster was talking about IE connecting to a secure banking site on a Mac running OS 9.
OS 9 is not hackable remotely, so long as you've got guest sharing off, as it is by default. It just isn't. It can be DOS'ed, anything with an IP address can be, but hacking into it to compromise it? Nope.
There is no underlying os, there is no other user accounts to 'break into', no services running.
Bad guys do not sit around sniffing peoples web connections waiting for them to connect to the bank so they can steal their passwords. They hack into the vendors and banks themselves and steal thousands and thousands of names, passwords and account numbers at once.
It is, in fact, PERFECTLY SAFE for him to continue to use IE to access his bank accounts, provided Bank One doesn't start running malicious code on their servers.
This is the advice I give everyone...there are sites that just flat out *need* IE to access; keep it around for those sites and use Mozilla for everything else. I wish it weren't so, but this is the real world. Microsoft has 95% of the systems market...they're the 800 lb gorilla in the room and you gotta play nice with them sometimes.
OS X is safer, out of the box, than 99% of the systems out there; *every* remote service is turned off.
This is like the advice police give to homeowners. You don't need to make your house absolutely burglar-proof, just hard enough to make it not easy. The burglars (or skriptkiddies in this case) will just go off looking for easier targets.
You don't need to outrun the grizzly bear, just the hiker next to you...
Macs are small number of harder-than-average targets to hit in an incredibly "easy target" rich environment. Windows is just an open sewer of exploits, and after that, there's all those poorly configured Linux systems.
I'm not saying do not pay attention to security, or that Apple is perfect (though I'd have to say that comparing it to Microsoft in this regard is like comparing the Mona Lisa to a paint-by-numbers picture of an old water mill...yes, they're both paintings; and that's about as far as it goes.) because there is a BSD exploit does NOT necessarily mean that OSX is vulnerable, only probably.
What I'm saying is there's no need to panic or become paranoid about it. You don't need to be a tinfoil hat wearing hermit living in a Faraday cage with copper mesh in the windows; you need develop a few computer-healthy habits: don't turn on any services you don't need, use the built-in firewall and keep up-to-date on those system updates.
Hell, if you just keep up with system updates and keep an up-to-date antivirus program running you can make a *Windows* machine vastly safer. Not absolutely safe, but saf*er*. Use mozilla instead of IE when you can, and you make it that much better.
The security stance needed by someone administering a rack of Xserves is a heck of a lot different than the one needs by some poor schlub who wants to look at his bank balance online.
i've also been using macs for a long time, and love the mac os, but the security claims
being made for os x just don't hold water. there just hasn't been a major well publicized
intrusion yet, but few intrusions ever become public, and some security flaws have.
Intrusions, in general don't become public. The *exploits* that are used in these intrusions, on the other hand, usually do become publicly known.
in
fact, there's a discussion right now on the [EMAIL PROTECTED] security list about a
rather major though in this case convenient security hole that allows passwords and other
sensitive and normally encrypted data to be recovered from the swap file, which is not a
good thing and not possible on securely designed systems.
Sometimes.
That trick did not just work on my system, or on another system I tested (I know, n=2 is a horrid sample, but it's what I've got at the moment), but in any case, the logic in using it to fish out admin passwords is faulty, since you *already need* admin access to a system to exploit this 'hole'.
The key lesson to be learned from that thread is that if you use File Vault, exercise good password hygiene. He used a dictionary attack (and a <bleeping> huge dictionary file...:-) to crack it. He also had total physical possession of the system and Admin access *already* on the machine.
Using other exploits to bootstrap an attacker into admin privileges *already* accomplishes getting admin privileges. It's sort of like a burglar removing the lock, examining it, and making a key to your house to break in and get the spare house keys off the hook in the kitchen...an exercise in futility, and it doesn't mean that having your spare house keys on a hook in your kitchen is a dire security risk.
Like I said, seeing the forest for the trees is a hard thing sometimes.
I've never said OS X is not hackable, I've never said that it's 100% safe.
I've said it is a heck of a lot saf*er* than other systems out there.
IE on the Mac is just not as exploitable as it is under Windows, and by what is occurring out there, it is not being exploited. You don't get the spyware running on Macs that you do on PC's.
yes there are keyloggers and other *real* malicious stuff you can install on a ac running OSX, but getting that working requires that you break one of the three rules of computer security:
1) Maintain physical security: "If you let the bad guy sit down at your computer and use it, it's not your computer anymore."
2) Maintain Systems Security: "If you let the bad guy run programs on your computer, it's not your computer anymore."
3) Watch out for Social Engineering: "If you let the bad guy convince you to run his program on your computer, it's not your computer anymore."
I'm not advocating complacency, but cautioning against paranoia.
-- Bruce Johnson
This is the sig who says 'Ni!'
-- G-List is sponsored by <http://lowendmac.com/> and...
Small Dog Electronics http://www.smalldog.com | Refurbished Drives | -- We have Apple Refurbished Monitors in stock! | & CDRWs on Sale! |
Support Low End Mac <http://lowendmac.com/lists/support.html>
G-List list info: <http://lowendmac.com/lists/g-list.shtml> --> AOL users, remove "mailto:"; Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/g-list%40mail.maclaunch.com/>
Using a Mac? Free email & more at Applelinks! http://www.applelinks.com
