PC users switching to Mac for Security

[rustedborg]

In my own experience, the Windows box can be just as safe as any
other platform. 99% of the time, users are to blame for security
problems and not the technology. Why most home users of Windows are
logged in as administrators is beyond me, that is where lot of
these problems start! I think it is wrong to think that Mac or
Linux will protect you any better than Windows box will.

Well, I must be a part of the 1% of people who have "genuine" virus/spyware/tojan/security problems and aren't complete idiots.

I've never opened emails from people I don't know, I've never clicked on banner ads, I don't visit questionable websites, I keep my anti-virus and firewall software up to date, and I run regular sweeps for spyware/adware on my PC ... and STILL I end up with viruses, spyware, and adware on my PC at least once every 6-12 months.

I've also got an old Powerbook that I still use for web surfing, word processing, and simple aps ... and the PowerBook has NEVER had a virus/spyware/adware/trojan/security problem.

I'm not going to stop using my PC because there are still some pieces of software/freeware that I use that are PC-only ... but the problem is there. As far as I'm concerned it's just a numbers issue. More people develop code for viruses, spyware, etc. based on Windows because almost 90 percent of computer users are using Windows-based PCs. If you want your virus or spyware or whatever to hit the most people/businesses, you need to target what they are using.

If everyone switched to Macs today about 100,000 new Mac viruses, spyware and adware would hit the world next week.

 

[Ken Leonard]

Actually I have done (and continue to do those things) on a daily basis on my Mac. Unlike you I do not get viruses/malware/spyware even though I do the things you avoid on your PC. Don't get me wrong, on a daily basis people attempt to send viruses to me. I have been 'hit' by MyDoom at least 6 times in the past 2 days. They have no effect on a Mac.

If you want to be free of problems on your Windows based machine try the advice here:

http://tech.msn.com/guides/955450.armx?GT1=6483

Sure glad I do not have to do any of that!

As I have stated elsewhere, give it a year and I will be willing to bet Mac OS X enjoys 5 years without a virus.

Read all about Macs and viruses here:

http://porg.4t.com/Security.html

I just cannot understand why you Windows users want to put yourself through such daily pain!

Well, I must be a part of the 1% of people who have "genuine"
virus/spyware/tojan/security problems and aren't complete idiots.

I've never opened emails from people I don't know, I've never
clicked on banner ads, I don't visit questionable websites, I keep
my anti-virus and firewall software up to date, and I run regular
sweeps for spyware/adware on my PC ... and STILL I end up with
viruses, spyware, and adware on my PC at least once every 6-12
months.

I've also got an old Powerbook that I still use for web surfing,
word processing, and simple aps ... and the PowerBook has NEVER had
a virus/spyware/adware/trojan/security problem.

I'm not going to stop using my PC because there are still some
pieces of software/freeware that I use that are PC-only ... but the
problem is there. As far as I'm concerned it's just a numbers
issue. More people develop code for viruses, spyware, etc. based on
Windows because almost 90 percent of computer users are using
Windows-based PCs. If you want your virus or spyware or whatever to
hit the most people/businesses, you need to target what they are
using.

If everyone switched to Macs today about 100,000 new Mac viruses,
spyware and adware would hit the world next week.

 

[Daniel JS]

If everyone switched to Macs today about 100,000 new Mac viruses,
spyware and adware would hit the world next week.

I am sorry.. you are grossly and completely wrong. Oy. Whoa! Man are you off base.

While it is more than technically feasible to compile malware code (virus, trojan, etc) that can run on a Mac... it would be in the end, impotent so long as the "ineffected" Mac is run to Apple specifications... that is.. user is logged on as Admin or User only... and NOT Root. Because of the fundemental design differences between Windows and Mac OS X... Mac OS X is INHERENTLY more secure. You propose security through obscurity and you couldn't be more wrong.

-Daniel

 

[canonballs]

Daniel JS wrote:
While it is more than technically feasible to compile malware code

(virus, trojan, etc) that can run on a Mac... it would be in the
end, impotent so long as the "ineffected" Mac is run to Apple
specifications... that is.. user is logged on as Admin or User
only... and NOT Root.

Even with non-root privileges you can still completely hose up your home directory. If something bad were to happen on my Mac I know I would prefer it to happen in my System directory rather than at . If I could choose, that is.

If everyone switched to Macs today about 100,000 new Mac viruses,
spyware and adware would hit the world next week.

I am sorry.. you are grossly and completely wrong. Oy. Whoa! Man
are you off base.

I would still think that this view has a point. Remember a time when a web page could run a script under Safari? (with current user privileges) That was patched up by Apple within a couple of weeks. If OSX had larger market penetration, don't you think there would be actual malware around based on this? - While I think that was a major screwup on Apple's part, I understand this behaviour is business as usual under Windows, correct me if I am wrong.

--
canonballs

 

[shepha]

Contrary to what Mac cynics might say, the upgrades in Mac OS X Version 10.4 (also known as Tiger), Apple's latest operating system, are not just cosmetic. New features such as Tiger's search tool are powerful enough to change the way Mac users work, and intriguing enough to possibly convert a few Windows users.

The $129 upgrade should work on any G3, G4, or G5 FireWire-era Mac. I installed a shipping version of the OS in about an hour each on an aging 867-MHz PowerBook and a newer 1.67-GHz PowerBook, with no problem.

Advertisement

Taken from: http://www.pcworld.com/reviews/article/0,aid,120910,00.asp

Tiger's breakthrough feature is Spotlight, a desktop- search tool that rummages through files, folders, e-mail, Apple applications, and major third-party programs such as Microsoft Word and Excel (but not Entourage e-mail). It then displays results neatly by category. Spotlight can search by the usual criteria (file name, keywords) but also by a dizzying variety of deeper "metadata" such as author, audio bit-rate, and photo aperture. You can even save Spotlight searches as Smart Folders that continually update and add related files.

Tiger includes plenty of other useful additions. Dashboard Widgets are attractive miniapplications that aggregate information like stock prices and flight times. You also get Safari support for RSS (Really Simple Syndication) for reading blogs and news feeds, as well as parental controls for the Finder, Mail, IChat, and Safari.

Reports of networking bugs have surfaced, so if you use a cross-platform network or VPN, check for compatibility. You don't need this upgrade. But Spotlight is cool and useful enough to make Tiger well worth the purchase price.

I have seen Spotlight in action, it will highlight in ANYTHING!! E-mails, books on the Apple, maps, pictures, (the only thing I kind of wish it would do I wont mention)!!

CAN YOUR WINDOWS MACHINE DO THAT??

--
Ashley

 

[CptnJustc]

Owning both Macs and PCs (and generally preferring Macs when I don't need the functionality of a PC), I don't really advocate one side over the other. But I've got to take issue with a few things here:

No Sh*t! That is only because of the 3% market share. The
advantages of the PC is worth having to run AV software.

Has nothing to do with market share. Most used Web server is
Apache, most hacked is IIS. It's fundamental system architecture
differences, not market share.

The truth of this is pretty murky, because of all the variables involved. Apache seems to be preferred for single-server solutions for static web pages, which leave out the scripting languages that open up all kinds of security holes. One could argue that, since IIS is favored among Fortune 1000 companies, it makes a juicier target. So it would be about market share....

But to say that Apache gets hacked to a lesser degree than IIS is one thing. To say that OSX will forever be free of virii due solely to superior architecture is another. Surely in this case market share has SOMETHING to do with it, particularly when you consider that so many Windows intrusions are from phishing scams or spyware piggybacking on more-or-less legitimate software, the kind of user error which an OS can only do so much against.

I like the fact I can build good value PC for only $900 that at 2
years ago blows away any Mac at that price and still does today.

Wrong again. My new Powerbook is faster at day to day tasks than
my 2 year old IBM A31p 2.0Ghz 1GB machine I use every day at work.
The PB is also faster at Photoshop. And they both cost roughly the
same new, with the IBM probably being a little more expensive.

Having a new Powerbook and something approximate to your IBM, I really don't see a difference in everyday tasks. Though I prefer Macs, I've got to admit that at least through mid-range machines, you can get PCs for a good bit less. It comes down to intra-architecture brand competition and business strategies: Apple is legendary for their profit margins, PC makers are not. Apple's prices seem to be coming down across the board, though. I hope that continues.

I like the fact that PhotoShop is PhotoShop, Flash is Flash and
Dreamweaver is Dreamweaver.

And PS runs better and faster on a Mac.

I haven't seen a difference, other than that I can get certain plug-ins only on the Windows side, though I'll have to see if CS2 obviates that.

 

[Ken Leonard]

And PS runs better and faster on a Mac.

I haven't seen a difference, other than that I can get certain
plug-ins only on the Windows side, though I'll have to see if CS2
obviates that.

As far as I know PS Plug-ins and actions are one and the same for PC's and Mac's. In other words if a Plug-in is devleoped on a PC it will work on a Mac and vice versa. Same is true with actions. Now if those plug-ins or actions were made into an .exe file of course you could not execute the code on a Mac. Perhaps that is what you are saying?

Here are some plug ins you can use on either platforms.

http://porg.4t.com/plugins.html

Ken

 

[Daniel JS]

Even with non-root privileges you can still completely hose up your
home directory.

This is tantamount to accidentally deleting personal data that you don't maintain a backup for... I can drag and drop any sub folder within my home directory VERY easily and quickly. That's the first point. The second point is app execution.. how do you expect an executable to initiate on a Mac in the absence of such "wonderful" technologies such as VB and ActiveX? ;-)

If something bad were to happen on my Mac I know I
would prefer it to happen in my System directory rather than at .
If I could choose, that is.

I suppose what you're saying is that you don't want to lose proprietary data (your information) vs. stuff you can easily re-install. I'll counter to that and say, I'd rather restore a folder through drag and drop then rebuilt an entire system.

I would still think that this view has a point. Remember a time
when a web page could run a script under Safari? (with current
user privileges) That was patched up by Apple within a couple of
weeks.

Panther saw major revisions in Mac OS X architecture. The basic foundation was always there.. but Puma through Jaguar and even into Panther, was still a bit rough. We are in a different era now.

If OSX had larger market penetration, don't you think there
would be actual malware around based on this?

In a word, no. I can theorize possible ways of attacking a Mac... its part of my job... but if you run a tight ship... no... on a Mac you should be just fine.

While I think
that was a major screwup on Apple's part, I understand this
behaviour is business as usual under Windows, correct me if I am
wrong.

Its worse than you think... the evil triad of ActiveX, VB and .net are the real culprits. Microsoft infusing EVERYTHING it produces with these technologies... the net result is self propogating, autonomous executables with incredible access to key information.

-Daniel

 

[canonballs]

Even with non-root privileges you can still completely hose up your
home directory.

This is tantamount to accidentally deleting personal data that you
don't maintain a backup for... I can drag and drop any sub folder
within my home directory VERY easily and quickly.

This involves some obviously stupid action on user's part. My point was that if you can get malware to execute on a Mac then it can do harm even with non-root privileges. This was in response to your suggestion that permissions were something of a panacea.

That's the first

point. The second point is app execution.. how do you expect an
executable to initiate on a Mac in the absence of such "wonderful"
technologies such as VB and ActiveX? ;-)

With the vulnerability I mentioned where Safari let web pages execute scripts (sorry, I do not remember what kind of scripts those were), I checked out the demonstration page and had it start up Terminal (for demonstration purposes). I suppose this should be about as simple as 'tell application Terminal activate...' Given that this is (was) possible, tell me why a script like this cannot trash some of your ordinarily-privileged files, download to, say, Applications and open an application, query your keychain for smtp login and password and send somebody mail - I'm sure you can think of something more imaginative than that as well.

If something bad were to happen on my Mac I know I
would prefer it to happen in my System directory rather than at .
If I could choose, that is.

I suppose what you're saying is that you don't want to lose
proprietary data (your information) vs. stuff you can easily
re-install. I'll counter to that and say, I'd rather restore a
folder through drag and drop then rebuilt an entire system.

Fair enough. My backups are not always up-to-last-minute.

I would still think that this view has a point. Remember a time
when a web page could run a script under Safari? (with current
user privileges) That was patched up by Apple within a couple of
weeks.

Panther saw major revisions in Mac OS X architecture. The basic
foundation was always there.. but Puma through Jaguar and even into
Panther, was still a bit rough. We are in a different era now.

Prepared to bet Apple won't have a hole similar or worse than that within the coming five years?

If OSX had larger market penetration, don't you think there
would be actual malware around based on this?

In a word, no. I can theorize possible ways of attacking a Mac...
its part of my job... but if you run a tight ship... no... on a Mac
you should be just fine.

Again, with that Safari vulnerability "running a tight ship" included not visiting "bad" web pages. I tend to think that a Mac user should not be seen as doing something stupid when they enable pop-ups and even click on them if they are so inclined.

While I think
that was a major screwup on Apple's part, I understand this
behaviour is business as usual under Windows, correct me if I am
wrong.

Its worse than you think... the evil triad of ActiveX, VB and .net
are the real culprits. Microsoft infusing EVERYTHING it produces
with these technologies... the net result is self propogating,
autonomous executables with incredible access to key information.

It sometimes occurs to me that OS X's current privilege system is somewhat underdeveloped. I sometimes wish I could disallow network connection to (all but) specific applications, only allow an application to touch files form a specific folder etc. Perhaps with that in place one would be better equipped to face the horrors you describe. All those freefloat executables could be rendered harmless (and, yes, perhaps useless) if by default the system did not give them too much freedom to do as they please. To make this work it appears like you have to institute an elaborate permissions infrastructure. For example, system updates would have to be given pretty sweeping authority. At this point this begins to sound somewhat like "trusted computing" (less the DRM carp) of which I hear more from Microsoft than from Apple.

But I won't dispute your point that presently Windows looks like a far sorrier mess than the competition.

--
canonballs

 

[Rod Smith]

I find it interesting that, in all this wrangling about security, no one has mentioned the Orange book and DoD requirements for trusted systems. Of course neither OS-X nor Windows XP is, to my knowledge, certified on any level at this point.

I am fully aware that certification, even at the C level, is a difficult, frustrating, expensive process, and generally undertaken only with large government contracts in mind (or in hand!). For example, A-1 certification requires a complete, formal, written mathematical system analysis for final proof. Orange book certification is THE litmus test.

For those who maintain that 'UNIX' basic security is intrinsically sound, I might point out that a vanilla UNIX system has never been officially certified as far as I can determine, certainly not beyond the C level. On the other hand, DoD Security and personal desktop security are two different domains, but there are overlapping requirements.

Nevertheless, a look at the Orange book standards for each level is enlightening and could lead one to some obvious conclusions about both Windows XT and OS-X, assuming a general understanding of the internal structure of each system.

If you are interested, take a gander at:

http://www.dynamoo.com/orange/index.htm

--
Rod Smith
Niceville, FL

 

[canonballs]

I find it interesting that, in all this wrangling about security,
no one has mentioned the Orange book and DoD requirements for
trusted systems.

Rod, you refer to a text produced by DoD as the yardstick. I am curious as to how much you generally trust the American military to get things like computer security better than anyone else.

Curiously, in the culture where I grew up, the military are about the last community one would turn to for sound judgement.

--
canonballs

 

[Daniel JS]

This involves some obviously stupid action on user's part.

Ever listen in on a support car... "users" are capable of absolutely mind-blowing stunts.

My
point was that if you can get malware to execute on a Mac then it

There's a big "if" in that line. ;-)

can do harm even with non-root privileges. This was in response to
your suggestion that permissions were something of a panacea.

They are not the total solution, but they contribute greatly to it.

With the vulnerability I mentioned where Safari let web pages
execute scripts (sorry, I do not remember what kind of scripts
those were), I checked out the demonstration page and had it start
up Terminal (for demonstration purposes). I suppose this should be
about as simple as 'tell application Terminal activate...' Given
that this is (was) possible, tell me why a script like this cannot
trash some of your ordinarily-privileged files, download to, say,
Applications and open an application, query your keychain for
smtp login and password and send somebody mail - I'm sure you can
think of something more imaginative than that as well.

1.) anything that is permission protected requires SUDO at terminal
2.) terminal cannot fire off summarily at will.

3.) the process you describe only works against KNOWN LOCAL scripts, that is to say, the remote perl process that would pass through Safari could only execute a script LOCALLY and pre-existing on the Mac.

Prepared to bet Apple won't have a hole similar or worse than that
within the coming five years?

Yes. As a premiere developer for Apple for over 16 years, yes.

Again, with that Safari vulnerability "running a tight ship"
included not visiting "bad" web pages.

No, not so. You made a logic leap... but not to worry.. you're in good company. Many made the same assumption. The vulnerability that was noted last May that affected both Safari and Explorer on OS X only worked against KNOWN LOCAL scripts.. that is to say, that the person or persons intending the malicious act from afar would have to had had access to the computer in question to either plant a script on the computer or be able to place one there and know exactly where it was placed, too.

I tend to think that a Mac
user should not be seen as doing something stupid when they enable
pop-ups and even click on them if they are so inclined.

Yes... but... why?

It sometimes occurs to me that OS X's current privilege system is
somewhat underdeveloped.

There's more in the works than you think. That's about all I can say.

I sometimes wish I could disallow network
connection to (all but) specific applications, only allow an
application to touch files form a specific folder etc.

You can. Simple utility called Snitch. Go download it and install it. Works like a champ.

Perhaps
with that in place one would be better equipped to face the horrors
you describe. All those freefloat executables could be rendered
harmless (and, yes, perhaps useless) if by default the system did
not give them too much freedom to do as they please.

Like... ummmm... OS X? ;-)

To make this
work it appears like you have to institute an elaborate permissions
infrastructure. For example, system updates would have to be given
pretty sweeping authority. At this point this begins to sound
somewhat like "trusted computing" (less the DRM carp) of which I
hear more from Microsoft than from Apple.

True.

But I won't dispute your point that presently Windows looks like a
far sorrier mess than the competition.

Indeed.

-Daniel

 

[Daniel JS]

I find it interesting that, in all this wrangling about security,
no one has mentioned the Orange book and DoD requirements for
trusted systems. Of course neither OS-X nor Windows XP is, to my
knowledge, certified on any level at this point.

Ummm.... the entire US Navy Nuclear submarine fleet, both SSN and SSBN (and newly converted Ohio SSGNs) are managed by... drum roll please... Apple Xserves running dual boot Yellow Dog and Mac OS X.

The US Army is building its new clustering systems on... Mac OS X. Same for the US AirForce.

The DOD has moved all its web and public information servers to... yep... Mac OS X.

And the list goes on from there...

-Daniel

 

[Daniel JS]

Ever listen in on a support car... "users" are capable of
absolutely mind-blowing stunts.

Doh! I mean "support call."

-Daniel

 

[mbryda]

The truth of this is pretty murky, because of all the variables
involved. Apache seems to be preferred for single-server solutions
for static web pages, which leave out the scripting languages that
open up all kinds of security holes. One could argue that, since
IIS is favored among Fortune 1000 companies, it makes a juicier
target. So it would be about market share....

IIS is not favored by more Fortune 1000 companies.... Head over to http://www.netcraft.com and look at the stats. Many high profile companies run Apache (IBM, Zdnet/Cnet, CNN, HP, Compaq, Apple, etc) and they most definitely do more than just static webpages. You'll also notice that IIS lost marketshare lately. And it's not 50/50 either - 69.7% of sites run Apache vs 20.26% IIS.

Remember - A$P and A$PX are not the only dynamic content languages out there for the Web. Smart companies use Java, Perl, CGI, etc vs ASP/ASPX which only tie to M$ technologies.

one thing. To say that OSX will forever be free of virii due
solely to superior architecture is another. Surely in this case
market share has SOMETHING to do with it, particularly when you
consider that so many Windows intrusions are from phishing scams or
spyware piggybacking on more-or-less legitimate software, the kind
of user error which an OS can only do so much against.

The NIX architecture is so much more secure than Windows it's not even funny. Look at the bugs - Windows typically are of the nature "xxx causes a buffer overflow which leads to code being able to be run". NIX bugs are "xxx causes a buffer overflow which leads to yyy to crash". There are few root/code exploits available for NIX.

The phishing stuff happens all the time - I get them all the time on my Macs. If you are dumb enough to click a link in your e-mail you get what you deserve. What I tell everyone is that even if it looks like it's from your bank, credit card, mortgage company, don't click it. Call them. Go to their website directly, but don't click that link.

Having a new Powerbook and something approximate to your IBM, I
really don't see a difference in everyday tasks. Though I prefer
Macs, I've got to admit that at least through mid-range machines,
you can get PCs for a good bit less. It comes down to
intra-architecture brand competition and business strategies:
Apple is legendary for their profit margins, PC makers are not.
Apple's prices seem to be coming down across the board, though. I
hope that continues.

Day to day, you're right - not much difference. But in PS and general multitasking, the Mac leads - it can do more before getting bogged down.

However, the price of a Mac is not as high as you would think when you add in all the stuff you get for free. A client had bought a new Dell. It had lots of Demo versions - limited photo editing software (Paint Shop Pro) that expired in 90 days, limited versions of Quicken, Office, etc. Consider that with a consumer Mac you get the whole iLife suite, Appleworks (or iWork), a full version of Quicken, and a few other apps. It's not a bad value at all.

Before I got my iMac 3 years ago I priced a similarly configured Dell (even though I'd never, ever, ever buy a Dell). The Dell was $200 more than the iMac.

Same stories with laptops - show me a 15" widescreen with an 80GB 5400 RPM drive, 8x DVD +-RW, 512MB, and 64MB video card from a teir 1 manufacturer (IBM, Compaq, Toshiba, etc) for $2400. They are hard to come by.

Sure you can get a laptop for $599, but it's a 14" 1024x768 model with shared video RAM, 256MB, and a small and slow hard drive. Sorry, I outgrew 1024x768 with my iMac and it was the reason I shopped PB. Add a high-rez 15" screen to a laptop and you're almost @ $2k...

 

[mbryda]

problem is there. As far as I'm concerned it's just a numbers
issue. More people develop code for viruses, spyware, etc. based on
Windows because almost 90 percent of computer users are using
Windows-based PCs. If you want your virus or spyware or whatever to
hit the most people/businesses, you need to target what they are
using.

Not true at all. Do you have any idea how easy it is to write a virus/trojan/spyware app for Windows? It's as easy as point and click and you get a new variant.

Has nothing to do with the #'s - it's just that easy to write these things on Windows. You could write stuff like that for OSX or any of the NIX variants, but it would be very tough.

See, on Windows, you cause a program to crash or do a buffer overflow, 9 out of 10 times you can then execute code. On a NIX system the porgram simply crashes and does not allow code execution 9 out of 10 times. So the automatic virus thing is pretty much a non starter for nix.

If everyone switched to Macs today about 100,000 new Mac viruses,
spyware and adware would hit the world next week.

No they wouldn't. The differences in the architecture would make many of these programs hard or impossible to code.

MS would like you to think it's because of the popularity, but the root of the problem is the POS that Windows is at a very deep level.

 

[canonballs]

This involves some obviously stupid action on user's part.

Ever listen in on a support call... "users" are capable of
absolutely mind-blowing stunts.

Sure. However, protecting the user from their own stupidity is not something I realistically expect from any OS in my lifetime.

With the vulnerability I mentioned where Safari let web pages
execute scripts (sorry, I do not remember what kind of scripts
those were), I checked out the demonstration page and had it start
up Terminal (for demonstration purposes). I suppose this should be
about as simple as 'tell application Terminal activate...' Given
that this is (was) possible, tell me why a script like this cannot
trash some of your ordinarily-privileged files, download to, say,
Applications and open an application, query your keychain for
smtp login and password and send somebody mail - I'm sure you can
think of something more imaginative than that as well.

1.) anything that is permission protected requires SUDO at terminal

On an average OS X real-life volume there is valuable stuff that is not permission-protected.

2.) terminal cannot fire off summarily at will.

I am not sure what you mean by "summarily". So the demonstration page only activated a script already present on any OS X system whose effect was or included starting up Terminal?

3.) the process you describe only works against KNOWN LOCAL
scripts, that is to say, the remote perl process that would pass
through Safari could only execute a script LOCALLY and pre-existing
on the Mac.

Again, with that Safari vulnerability "running a tight ship"
included not visiting "bad" web pages.

No, not so. You made a logic leap... but not to worry.. you're in
good company. Many made the same assumption. The vulnerability
that was noted last May that affected both Safari and Explorer on
OS X only worked against KNOWN LOCAL scripts.. that is to say, that
the person or persons intending the malicious act from afar would
have to had had access to the computer in question to either plant
a script on the computer or be able to place one there and know
exactly where it was placed, too.

OK, so only-just-downloaded scripts do not qualify as KNOWN LOCAL? I assume a single web page can both download a file and run a remote perl process - can it not? Would be nice if you could briefly comment on what makes a script KNOWN LOCAL.

Prepared to bet Apple won't have a hole similar or worse than that
within the coming five years?

Yes. As a premiere developer for Apple for over 16 years, yes.

Glad to hear that.

I tend to think that a Mac
user should not be seen as doing something stupid when they enable
pop-ups and even click on them if they are so inclined.

Yes... but... why?

Again not sure what you mean here. "Yes" seems to indicate agreement. Why? Because I think it can be genuinely difficult to differentiate between "safe" and "malicious" web content without trying it out first, hence the user should be protected by the software from technically harmful effects. Do you agree with the quoted statement for a different reason?

I sometimes wish I could disallow network
connection to (all but) specific applications, only allow an
application to touch files form a specific folder etc.

You can. Simple utility called Snitch. Go download it and install
it. Works like a champ.

Little Snitch I think it was called. Nice, but I did not want it bad enough to pay €25. My point was not so much about specifically restricting network access but a more about a systematic approach to letting the user determine what an application is or is not allowed to do - play sounds, ask for current time, take over the whole screen etc.

Perhaps
with that in place one would be better equipped to face the horrors
you describe. All those freefloat executables could be rendered
harmless (and, yes, perhaps useless) if by default the system did
not give them too much freedom to do as they please.

Like... ummmm... OS X? ;-)

Sure, OS X knows no ActiveX. I wonder if some of the functionality of all that wonderful stuff can still be retained without compromising security.

--
canonballs

 

[canonballs]

The phishing stuff happens all the time - I get them all the time
on my Macs. If you are dumb enough to click a link in your e-mail
you get what you deserve. What I tell everyone is that even if it
looks like it's from your bank, credit card, mortgage company,
don't click it. Call them. Go to their website directly, but
don't click that link.

I wonder if you could be so kind as to tell me what harm clicking on "that link" exactly does - I am not talking about filling the forms. I can see it tells "them" your e-mail address is valid. Anything else? Is the concern about what they read in your cookies?

--
canonballs

 

[Kendall Helmstetter Gelner]

Rod, you refer to a text produced by DoD as the yardstick. I am
curious as to how much you generally trust the American military to
get things like computer security better than anyone else.

For one thing, the document is RIGHT THERE. Read it and make up your mind based on what it says rather than on innate mistrust of the military.

Curiously, in the culture where I grew up, the military are about
the last community one would turn to for sound judgement.

Regardless of how you feel about military forces or the US military in particular, just step back and think about what you are saying. The military and intelligence agencies are some of the tastiest targets around for hackers of all sorts, not to mention outright spies.

If you want the last word on paranoid thinking and the utmost in deep ponderings over security, there really are few people that can match the military because they have more severe problems if compromised and have a far larger budget than most groups would to think about such things. I have worked quite a bit on corperate security systems, not so much with government stuff but I've read some of the specs before. Yes they do know what they are talking about.

--
---> Kendall
http://www.pbase.com/kgelner
http://www.pbase.com/sigmasd9/user_home
http://www.kigiphoto.com/Gallery

 

[canonballs]

For one thing, the document is RIGHT THERE. Read it and make up
your mind based on what it says rather than on innate mistrust of
the military.

As the document is rather long, I have little intention of reading all or most of it. I was interested in the public perception of the implication "since it comes from DoD, it must be solid" (wildly off-topic, my apologies). From this angle, the actual contents of the document are almost irrelevant.

From what I've seen, the document sets out some evaluation criteria. If there are arguments why these are the "right" criteria (which for all I know they may be), I did not read that portion.

The military and intelligence agencies are some of the tastiest
targets around for hackers of all sorts, not to mention outright
spies.

If you want the last word on paranoid thinking and the utmost in
deep ponderings over security, there really are few people that can
match the military because they have more severe problems if
compromised

True. However it occurs to me that the military context is one where guillotine-type solutions are more viable than elsewhere. It would not surprise me if the CPU used in the military for controlling something dangerous is not the same as the one used for recreational web browsing. (In a way, computer security is easy - just chop your modem cable. Even if your adversary is smarter than you are, you are still pretty secure.)

and have a far larger budget than most groups would to

think about such things.

I think I've seen way too many examples where the size of the budget is in inverse proportion to the quality of the product. (Again, I am not implying anything about the Orange Book).

I have worked quite a bit on corperate

security systems, not so much with government stuff but I've read
some of the specs before. Yes they do know what they are talking
about.

You'll probably get offended again but I tend to trust "corporate security systems" (generally, as opposed to the ones that you worked on) about as much as the military ones.

Many thanks for your input.

--
canonballs