• Living in Lala-land - How Safe is Your Mac?

    This is an opinion piece by forum member Lutze - do you agree? Disagree? Throw in your 2 cents and comment on this post.

    Sitting comfortably? Then Iíll begin with a pineapple just where you donít want one - most of the people who visit this site are proud Mac users. Proud of our lack of need for antivirus applications that hog our CPU, proud of not needing to run a firewall because, ďHey, I run a Mac, most hackers who hit it canít do anything anyway!Ē.

    Wake Up!

    While youíve been sleeping the Apple software platform has been ritually sodimised quicker than any other OS once again. CanSecWest has gone past with a whimper rather than a bang this year, but if you were paying attention youíd notice that a fully patched Macbook Pro got taken (it now sits gingerly on Charlie Millers desk on a cushion while it recovers) quicker than any of the 3 systems on display in the annual PWN2OWN, that Mac users should by now be getting used to ďwinningĒ.

    Itís not just the computers that are having problems either - even the iPhone was torn a new one. Again, fully patched and still had the entire contents of itís contacts list quietly stolen, along with itís entire SMS history - including ďdeletedĒ messages.

    This has been happening for a while now. CanSecWest have been ripping OS X apart yearly since at least 2007.

    This was not a good week to be an Apple employee involved in security. These guys should probably be getting the afore mentioned pineapple. The problem is that the horse hasnít just bolted, itís been taken to the local French restaurant and served to everyone.

    To explain how bad this currently is, and why itís so frustrating giving a stuff about this kind of thing you have to understand a few things:

    • No operating system is 100% secure

    • OS X has the biggest target on itís back, and has done since at least 2007

    • The problem is not being hacked, itís the time it takes to fix the things

    This is where Microsoft, after months and months of being knocked from one flaw in Windows XP to the next learnt their most important lesson - set a schedule to fix things. Be public about it.

    Apple have an attitude of ďweíll fix it when we get around to itĒ - or at least that seems to be the case! Donít believe me? It took Apple from Mid March 2009 until Mid MAY 2009 to patch the flaws that Charlie Miller highlighted. Sure Apple have an excuse - they were hard at work on Snow Leopard, and iPhone OS 3. But do you really think that leaving these holes in their OS unpatched for nearly 2 months is acceptable?

    Iím quite lucky, Iíve used and worked in computers / IT for long enough to know how to ensure that my systems are fairly secure, I sit down and read through the NSA documentation on making your OS as secure as possible and do as much of it as I can and yet still be able to access the internet! The only problem at the moment is there is no NSA documentation on 10.6. The latest update from them is for 10.5 - it was last reviewed in September last year. (Iíd like to point out there is nothing for Win7 either, yet, though!). Even Apple have not updated their security guide (quite probably the same document, I really havenít got the spirit in me to check!)

    Iíve been tempted to write this article for a while now, after seeing John Gruber get up at Macworld in February I realised that I wasnít the only one that was getting frustrated at the big olí fruit company. From the article: Gruber drew a comparison between safety and security, suggesting that Windows may indeed be more secure than Macs, but that Windows needed to be more secure (like having better locks on your doors) but Macs were safer (like living in a low-crime neighborhood). One concern was that Apple was slow in rolling out security fixes for publicly disclosed bugs, a danger since they were the largest user of such software (Microsoft develops their own).

    So, what do I think Apple should do about it? It goes against everything that Apple, under Steve Jobs at least, stands for and they need to be talking about what they are doing - publicly. Okay, maybe not Twitter or a Mac OS X security blog, but maybe a page on the Apple site that you can visit to get the latest security updates and whatís going on with the security team. I hate to hold Microsoft up as an example again, but theirs is a good one. They had a team of people at CanSecWest - Iím sure that they learnt a few tricks while they were there.
    Whatís your view, do you care about this? Or do you think that the current security model is working well?
  • Dropdown