A couple of days ago myself and a colleague of mine ran into our Apple account exec. The conversation ended up in the security space, as is probably appropriate considering Apples recent performance in that area. Our account exec quickly followed up with a request for our contact information (good), a press-release style announcement on how much more secure Safari 5.1.7 was going to be (interesting), and a month old article on how to remove Flashback (amusing).
OT: A plan.
Aaron Smith posted this story about the kindness of an NYC cab driver. It's a good read, and it reminds me of something vaguely similar that happened to be a few decades ago.
I had just moved 400 miles from home to a small town in Minnesota near where my grandfathers sister had moved in the 1930's. He didn't get to see her very often, so when I moved near her farm he had an excuse to make the trip.
Apple joins the big leagues
I've been hearing 'OS X is secure' for a decade now. For a decade, I've been challenging that assertion.
The challenges to that assertion generally end up with a response of 'because it's Unix' or 'because it's not Microsoft'. I don't recall 'OS X is secure' assertions being backed up by detailed explanations of anything in the kernel, operating system, development tools or coding practices that assures a higher level of security than competing operating systems, and I don't hold that a Unix history automatically ensures a more secure platform. My first forensic examinations were Unix, not Windows, and I can easily assert that the reason that we have more compromised Windows servers and desktops is because we have more Windows servers and desktops.
The challenges to that assertion generally end up with a response of 'because it's Unix' or 'because it's not Microsoft'. I don't recall 'OS X is secure' assertions being backed up by detailed explanations of anything in the kernel, operating system, development tools or coding practices that assures a higher level of security than competing operating systems, and I don't hold that a Unix history automatically ensures a more secure platform. My first forensic examinations were Unix, not Windows, and I can easily assert that the reason that we have more compromised Windows servers and desktops is because we have more Windows servers and desktops.
Unfortunately the 'OS X is more secure' fantasy has left some (or many) with the impression that they don't need to practice safe computing on Macs. It is OK to run as admin. Anti-virus is not necessary. Drivebys are a Microsoft problem. In my opinion the smoke and mirrors surrounding 'OS X is secure' have also lead to complacency on Apples part. They are not as aggressive at implementing security related operating system improvements (such as ASLR) or routine security patches, nor have they implemented really the really basic security controls that I implemented more than twenty years ago on our NetWare servers (remove the execute permission from directories that contain user data, remove the create/write permission from directories that contain executable code). With the latest attacks on OS X applications and with Apples apparent inability to defend its operating system against drive-by vulnerabilities in third party software, the 'OS X is secure' attitude should must change. A half million users can't be wrong, and those users will eventually move past their denial phase and expect Apple to step up to the plate.
Apple will have to up their game a bit on incident response, too. An urgent fix for a months-old vulnerability followed by a fast tracked effort to provide a malware removal tool, resulting in three updates in ten days, doesn't leave me with the impression that they have a well oiled response machine. Apple will feel heat that has been directed at Microsoft the last decade (and Unix systems before that.) Hopefully they will learn from their competitors and react to the new landscape better and faster than their peers did.
Apple can't blame Sun either. The vulnerability of Java is well known (as are the vulnerabilities of Flash, Reader, Safari, Firefox…). Apple also has had plenty of opportunity to learn from their own mistakes, having repeatedly offered multiple versions of vulnerable desktop software to their customers.
Update 2012-05-11: Apple accidentally logs passwords in clear text. In football (soccer) that would be an "own goal". A major league fail.
Subscribe to:
Posts (Atom)
-
Cargo Cult: …imitate the superficial exterior of a process or system without having any understanding of the underlying substance --Wikipe...
-
Structured system management is a concept that covers the fundamentals of building, securing, deploying, monitoring, logging, alerting, and...
-
In The Cloud - Outsourcing Moved up the Stack [1] I compared the outsourcing that we do routinely (wide area networks) with the outsourcing ...
