What a great overview, thank you Lee. Along these lines, I read an interesting NYT article that (surprise, surprise) indicates website passwords are virtually useless. I'd be interested in your thoughts on this one as well:
http://www.nytimes.com/2008/08/10/technology/10digi.html?_r=1&scp=1&sq=goodbye%20passwords&st=cse&oref=slogin On Aug 13, 2008, at 12:57 PM, Lee Larson wrote: > On Aug 13, 2008, at 7:54 AM, Profile wrote: > >> I just read the Consumer report on virus protection, spyware >> problems etc. etc. They never cover the Mac well but they did >> mention that a vulnerability to the Mac is spyware, that the Mac >> users are blase and unconcerned when in fact Safari has no built in >> protection for spyware. > > Spyware and viruses are the two topics that seem to cycle through > the discussion here every couple of months. They're also topics to > which my antennae are always sensitive because I'm pretty security > conscious. I don't claim to be an expert on the subject, but I'll > tell you what I think anyway. > > Have you ever had spyware on your Mac? > > Do you know anyone who's had spyware on his or her Mac? > > I've never had a virus or spyware on Mac OS X and I don't know > anyone who's had one. > > The anti-spyware and anti-virus companies such as Symantec and > McAffee are constantly pushing out self-serving threat reports about > theoretical vulnerabilities in the Mac operating system. > Publications, including the New York Times, Newsweek, CNet and > perhaps now Consumer Reports, dutifully parrot the warnings almost > word for word. There are plenty of examples showing that experts can > indeed "pwn" Mac OS X by doing unusual things under under highly > controlled conditions. I've yet to see a credible report of an > exploit out in the wild. Until that happens, what is the security > software looking for? > > Thinking of spyware, in particular, almost all the malware > classified as spyware on Windows is not self-propagating. Most of it > is inadvertently installed by careless users doing unsafe things > like double-clicking attachments. On an unprotected Windows XP > machine, a double-clicked malicious executable can do almost > anything to the system almost instantly. The same type of program on > Mac OS X or Linux would need administrative access to do its thing. > To get administrative access, it must be running as an > administrative user and to do so, it needs an administrative > password. Even if a user is foolish enough to double-click a > mysterious file, being asked for an administrative password ought to > be a big clue that bad things could happen. Without administrative > access, the possibilities are much more limited because the program > is limited to doing things in only one account. (It can still do bad > stuff, but it can't very easily "pwn" the machine.) > > But, there's something deeper going on here. Why is Windows malware > so successful? Besides being easy to infect, Windows is the victim > of it's own success. An exploit can spread efficiently only if a > critical mass of machines is susceptible. That will never be the > case with Mac OS X; Apple can only dream of having 10% of the active > boxes. If only half of those practice safe computing, it's unlikely > the critical mass needed for an epidemic can be reached. > > That is not to say Mac OS X is invulnerable. Eventually someone will > find a way to break into it. At that point, it might well be > worthwhile to peek at what McAffee has to offer. My solution is to > practice safe computing. I don't run as an administrative user. I > don't launch unknown files. I don't type an administrative password > unless I know why a program needs it. I make sure my firewall is > turned on and doesn't open unnecessary ports. I install security > patches promptly. I back up important data. > > The best protection against malware on the Mac is common sense. > > As for the Safari issue… > > There have been two security complaints about Apple going around the > 'Net in recent weeks. > > The first is Apple's failure to patch a security hole in bind on non- > server versions of Mac OS X. This is a complete non-issue for almost > everybody because very few people run a domain name server on their > desktop and this is what bind does. I think Apple should supply the > patch to Tiger and Leopard, but I'm not terribly concerned about it. > > The Safari issue that's got the pundits in a tizzy is the lack of > phishing protection in Safari, not spyware. This was set off when > PayPal threatened to ban Safari users because of no phishing > protection. According to PayPal, Safari is the only major browser > without such protection. Of course, there are already phishing > schemes that get around the protection in the other browsers, so the > lack of built-in protection has become somewhat moot. > > Apple should address this issue, but, once again, the best way to > avoid phishing schemes is to practice safe computing. For example, > if you get an email that seems to be from your bank asking for > information, don't click on the link in the email to get to your > bank's site; navigate there yourself. The link in the email may be a > phisher and a direct link through your browser is hard to fake. > > > _______________________________________________ > The next Louisville Computer Society meeting will > be September 23 at MacAuthority, 128 Breckinridge Lane. > Posting address: [email protected] > Information: http://www.math.louisville.edu/mailman/listinfo/macgroup _______________________________________________ The next Louisville Computer Society meeting will be September 23 at MacAuthority, 128 Breckinridge Lane. Posting address: [email protected] Information: http://www.math.louisville.edu/mailman/listinfo/macgroup
