[EAS]End of Innocence for Macs

pjk pjk at design.eng.yale.edu
Thu May 3 03:04:09 EDT 2001

Mail*Link® SMTP               End of Innocence for Macs

Dear Colleagues -

As most of you probably know, I have been a staunch Macintosh user
since 1984, and continue to be entirely happy with that choice. And
one of the plesures of Mac usership has been an about 20:1 ratio
between the number of PC viruses and those of Macs.

With MacOS X, the basic architecture of the Mac OS undergoes a
major change and, I gather from this article, could be rather more
vulnerable. Right now I am still perfectly happy using Mac OS 8.6,
not even 9.1, so these new threats are not imminent for me. But in
time they will be my concern. And if it indeed isn't enough of a
concern for Steve Jobs now, then that _will_ be a problem for the
future of Macs.

But what also bothers me about this article, more specifically than
its arrogance, is the unmistakable element of "Schadenfreude", of
glee that Mac users will finally have to suffer also. "Where
security was concerned, Apple users enjoyed a free ride," the
author complains.

It seems to be lost on him that there are many advantages and
pleasures in relative obscurity, whether it is travelling under a
Dutch passport, or in using Macs. As long as one "speaks all the
relevant languages" and can responsibly transact all that really
needs to be transacted in the computer and network environment,
what is the advantage of joining the mainstream?

All best,  --Peter Kindlmann

"We know what happens to people who stay in the middle of the road.
They get run down."  Aneurin Bevan (1897-1960)

"DOS Computers, manufactured by millions of companies, are by far
the most popular, with about 70 million machines in use wordwide.
Macintosh fans, on the other hand, may note that cockroaches are
far more numerous than humans, and that numbers alone do not denote
a higher life form." (New York Times, November 26, 1991)


By Alex Salkever
May 1, 2001

OS X's heavy reliance on Unix makes Macs tempting potential targets
for hackers and viruses. It's a threat Apple must do more to head off

Time was, malicious hackers ignored Macintosh users. The MacHeads were
few in number, and breaking into their machines was generally a
thankless endeavor. Macs didn't run at all like ubiquitous Windows or
Unix machines, and they were far less useful in hacking exploits. No
one launched distributed-denial-of-service (DDOS) attacks that bury
Web servers under avalanches of spurious queries off the backs of
hacked Macs.

So, where security was concerned, Apple users enjoyed a free ride.
Same with virus attacks. Mac users avoided the carnage of the I Love
You virus in May, 2000. Nor did they have to worry about nasty
Trojan-horse attacks, such as the SubSeven variety that could give
hackers remote control of a computer. Mac users lived in a digital
Garden of Eden, a simpler place free of serpents.


But with the coming of OS X, Steve Jobs has led Mac users out of that
land of innocence. The software heart of Apple's newest operating
system is a derivative of the basic Unix OS developed long ago at AT&T
Labs. As such, it's more similar to the operating software that powers
Sun Microsystems workstations, IBM mainframes, and VA Linux servers
than it is to previous Mac operating systems. And here's the danger:
Cybercrooks, who love to hack these types of machines, could easily
develop a taste for Apples. Thanks to OS X, Macs have become easier to
penetrate with standard hacking tools -- and also more useful for
launching extended and potentially damaging hack attacks.

To be sure, hackers have yet to bite into OS X. As yet, no one has
spotted any alarming spikes in vulnerabilities reported to the
federally funded CERT Response Center, which flags computer-security
threats, and by private security groups. And since few big companies
use Macs to run their enterprise networks, the guts of most remain

That said, OS X is so new and, so far, so little used that it's simply
too early to say that the hackers just aren't interested. While there
is not much glory for the hacker who brings down the network of a
four-person design shop, the fact remains that Macs could now be
hijacked to participate in DDOS attacks or break into connections on
other Unix machines. Moreover, Mac users could well end up being
vulnerable to viruses. Finally, media companies still use lots of Macs
for everything from design to advertising. Combine all this with Unix,
and that could prove an irresistible temptation to malicious hackers,
who just love to mess with the press. (Witness the numerous hacks of
The New York Times' Web site.)


That means Apple users now have to consider all the security issues
that come with operating in a Unix world. Too bad Apple hasn't figured
this out yet. Steve Jobs proudly boasts Apple will soon be the largest
seller of Unix-based operating systems in the world due to the
expected widespread adoption of OS X. But the company has yet to take
basic steps to set up the kinds of monitoring-and-reporting systems
needed to ensure continued security for Mac users. "OS X has the
potential of being one of the biggest security liabilities on the
Internet," says Preston Norvell, a network-security expert and member
of the professional group Macsecurity.org.

To be fair, OS X is probably more secure than the previous Mac
operating systems that remained hack-free due to isolation rather than
secure software design. Apple chose to build OS X atop a relatively
secure Unix platform called Free BSD (Berkeley System Distribution).
And the company has done some good things to protect its users. For
example, it's the first consumer OS with a firewall built right into
the software core. Plus, Apple has shipped OS X with many of the Unix
functions that can be security risks switched off. "Apple's done a
decent job of out-of-the-box security in OS X for a first go-round,"
Norvell says.

But the nature of threats facing Unix machines is far more dynamic
than those that confronted Mac OS users in the past. On an almost
daily basis, warnings about new Unix vulnerabilities emerge from CERT
and various security firms. These alarms generally elicit a prompt
reply from software vendors. But thus far, Apple has shown little
inclination to build a systematic response-and-evaluation effort to
ensure that OS X users know what they need to worry about.


For starters, there's no security destination for OS X users on
Apple's Web site. Nor does Apple operate a security mailing list to
notify users of potential weaknesses and patches they could apply to
lock down their systems. Microsoft, Sun, and Red Hat all maintain
security mailing lists and security destinations.

Apple also has failed to provide a way for programmers or others to
notify the company of new security flaws. "There is currently no known
e-mail address, or drop box of any sort, to notify Apple of a
potential or confirmed security problem in any of their products,"
Norvell says. That isolates the best source of information about new
security leaks: Apple's customers.

Furthermore, Apple hasn't shown any indication that it has assigned
dedicated staff to tackle security issues and writing patches. A key
component of security for any serious OS is a team of experienced code
writers that can quickly evaluate threats, assess the damage
potential, and inform customers. Such a dedicated response team is
particularly crucial with Unix products.

Here's why: Due to the underlying similarity of all Unix systems, a
vulnerability in one type of Unix system can often be to compromise
another. That means security engineers must scramble to ensure that
Unix problems announced on one platform won't prove hazardous to
others. This is the way the CERT notification system has worked until
now, and it has depended on software vendors investigating reports in
a timely manner. That's tough to do without a dedicated security


"In any situation where a security hole is found that affects general
Unix services, it is relatively likely that it will affect OS X," says
Adam Engst, editor of the popular Mac newsletter Tidbits. "The problem
is that Apple has to step up to the plate and take the lead in
informing users about the security issues."

Apple claims it's committed to the security of its users. The company
refused to comment specifically for this article but did release a
statement: "Apple is very conservative in setting up secure solutions
for our customers by default. In addition, we actively participate
with industry advisories, such as CERT, to quickly provide our
customers solutions to any emerging security issues as they arise."

But according to Norvell, Engst, and others, Apple has been slow to
respond to CERT advisories, often taking months to patch big holes.
And Apple has so far failed to respond to the first CERT advisory,
released on Apr. 10, that could affect OS X -- a warning about a flaw
in the Free BSD software platform that was used to develop the
operating system.


That's symptomatic of a largely secretive Apple culture, which is
still coming to grips with its shift into the far more transparent
Unix world. This head-in-the-sand approach seems to be coming from the
top down. "At the OS X launch, when I asked Steve Jobs about security
issues, he gave me the total hand wave," recalls one concerned Apple
software developer.

Apple may well hire dedicated security engineers in short order,
setting up e-mail bulletins and building an easy-to-use security site
-- just as Bill Gates has done. And Mac users might also find a
treatise on how to secure new OS X machines tucked into their product
literature. But neither of those developments has happened yet. Until
they do, Steve Jobs is leading what could be millions of new users out
of the garden and into a den of possible serpents.

More information about the EAS-INFO mailing list