Slashdot Log In
Windows vs Mac Security
Posted by
ScuttleMonkey
on Wed Aug 23, 2006 12:27 PM
from the lauchded-into-a-fit-of-rage dept.
from the lauchded-into-a-fit-of-rage dept.
sdhorne writes "There is a good technical discussion over at InfoWorld on the merits of launchd and what is lacking in a comparable Windows secure solution. It is a throw back to the UNIX vs Windows security discussion that has been hashed out for many years." From the article: "it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Well written, but (Score:5, Insightful)
It seemed pretty wello written. That said, I which he would have said a little more about launchd, at least enough to explain why it gives OSX an advantage. It would have also been nice to have had some kind of side-by side comparing Windows and OSX, like how the windows System pseudo-user trumps the admin user, and how there is not way to trump the OSX root user.
Why this can't happen under OS X:
I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense.
Re:Well written, but (Score:5, Informative)
Re:Well written, but (Score:5, Informative)
(http://www.afp548.com/)
Re:Well written, but (Score:4, Insightful)
(http://plan99.net/~mike/)
From your article:
I guess I'm struggling to see how yet another way to launch things is a revolution in security, given that it's a brand new (and therefore untested) codebase and already has reports of it "freaking out".
The default in Windows is now to have no open ports as well due to the Firewall, so for any up to date installation of Windows the primary ways crap gets in is via browser exploits and malware. I am not seeing anything that Apple does fundamentally different here - Safari has already had several serious security problems, some of them near identical re-runs of problems Microsoft had before (eg help exploits). Malware is just a massively hard problem that nobody is really attacking right now, except maybe Microsoft with Vista, and there's certainly nothing in MacOS that would make it hard to write malware. Indeed there is very simple example code showing how to dump secure form information from Safari and you know how much marketeers would love that.
A lot of the points made in TFA aren't valid either, they are apparently the result of an extreme lack of thought or knowledge:
The purpose of most of the DLLs in SYSTEM32 is documented, just look at the summary tab in Explorer, the problem is that with any complex operating system it's trivial to make up fake names that sound plausible. So it doesn't help as much as you might think. 3rd parties are "duty bound" to produce man pages? Please, how ridiculous. You could argue the same for Linux yet people routinely write new programs without man pages.
Windows requires users to use Administrator to install software? No, buggy software requires that. Historically a few Mac programs have had the same requirements ... iTunes springs to mind. Anyway, the Apple solution to buggy software requiring elevated privileges is "you can't run that software" - not very helpful if you need it.
"Microsoft made it easy for commercial applications to refuse a debugger's attempt to attach to a process or thread" ... no they didn't, there is no API to prevent yourself from being debugged. This is a total fantasy. Why should I believe this guy at all, when he is talking such nonsense? There are various tricks you can use to detect a debugger being attached but none of these are reliable and none have OS support. If you detect a debugger you cannot force it to detach, the best you can do is stop the program and put up a message box. I think he has seen these messages from copy protection software and assumed it's a flaw in Windows. Not so.
"Malicious code or data can be concealed in NTFS files' secondary streams. These are similar to HFS forks, but so few would think to look at these" ... a feature that OS X has as well.
"OS X's nearest equivalent to the Registry is Netinfo, but this requires authentication for modification. In later releases of OS X, it is fairly sparse" ... no it isn't, the "equivalent" is a mish-mash of Netinfo, XML plist files dotted around the filing system, UNIX style config files and proprietary datastores. I fail to see how this is an improvement.
I could go on, most of these points are either wrong or very biased. The article seems worthless as a serious security analysis
Re:Well written, but (Score:5, Interesting)
The purpose of most of the DLLs in SYSTEM32 is documented, just look at the summary tab in Explorer, the problem is that with any complex operating system it's trivial to make up fake names that sound plausible
I just looked at the summary tab on a dozen random DLLs in my system32 directory (most from microsoft, some from 3rd parties), and there was no information in any of them. Why can't 3rd parties use a different location than MS... at least that would help a little (would help me anyway, if not the actual problem being discussed)
Windows requires users to use Administrator to install software? No, buggy software requires that. Historically a few Mac programs have had the same requirements
"buggy" software? I think you mean to say legacy OR poorly coded... this is one of those side effects that windows carries from version to version (like the registry) because MS refuses to leave customers high and dry for old software. Back in the old days this was the right way to do things, store configs in programdirectory/conf... we didn't have an appdata directory like we do now. Same with registry hives, they weren't setup in the same way they are now where certain users could do certain things. Calling it buggy implies the software is behaving contrary to design, it's not, it's just that the target has moved and the software hasn't all moved with it.
Re:Well written, but (Score:4, Insightful)
(http://slashdot.org/)
From TFA:
"- Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage." [emphasis mine]
First, administrative privilege != the Administrator account.
Secondly, yes, Windows does in fact require admin privs to install most software. Try this some time... Start with a fresh WinXP install. Immediately after setup, create an account with only User privilege and log in with it. Then, try to install all the software you'd normally install (anti-virus/spyware-checker/firewall, ANY productivity software (MS-Office, OpenOffice.org)) and see just how far you get. I'll save you the time: you can't. This is exactly the reason that most users run under an account with membership in the Administrators group for every-day tasks -- they're lazy and don't want to be bothered by being constantly denied access to this function or that resource because the account they're using isn't an Admin. By the way, this goes double for people whose job is Windows Administrator, but not just because they're lazy.. Because they're arrogant in addition to being lazy. [And before you label me a whiner, I'll say that it takes a Windows Admin to know a Windows Admin.]
I further defy you to find a single piece of software for MacOS X that doesn't require Admin privs to install.
I conclude that you're missing the point. A system requiring privilege to install ANY software will be inherently less prone to malware since it requires a brain to be sitting in front of the screen having to make a decision based essentially on whether or not they did anything to provoke such a request from the OS. It makes sense in a business environment where you don't want users installing just anything, and it makes sense in a home environment where you don't want your kids installing just anything -- especially when you don't want it installed by accident, which is (or should be) always. I would also point out that there's a difference between "want" and "need". In the above cases (business and home) "need" becomes "demonstrated need".
Re:Well written, but (Score:4, Interesting)
(http://www.dragonswest.com/ | Last Journal: Monday November 05, @07:35PM)
I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense.
In a nutshell, OS-X is built upon a known animal, whereas Windows is an animal which continues to be re-invented, like a leopard changing its spots to stripes, then plaid, then paisley, then something else. With such moving targets all the time it's small wonder they've got security issues. Some begin to be addressed with good programming practices (which Apple could certainly lapse at at any moment, and may well have and we haven't heard about) Another is to require tight control over interfaces between code from different departments. Microsoft going back to scratch time and again doesn't necessarily mean anything is getting better.
Re:Well written, but (Score:5, Funny)
I'm not sure that 're-invented' is how I'd describe windows, or their efforts at security.
Re:Well written, but (Score:5, Interesting)
(http://www.dragonswest.com/ | Last Journal: Monday November 05, @07:35PM)
I'm not sure that 're-invented' is how I'd describe windows, or their efforts at security.
In the past Microsoft have commented that they have completely ditched the code Windows was written with and re-written from ground up, to try to address myriad flaws. That's pretty drastic. I've done it with small projects which simply grew too large and unwieldy because they were never expected to scale to newer demands* Microsoft is effectively doing this with Vista and yet... there still appear to be security flaws. Something wrong with that picture. Could be they're just a victim of their success and such a massive undertaking of code is approaching the event horizon just before the black hole.
*You know the type.. you develop some nifty little tool to summarise information for your own use and someone sees it and says, "Hey! That thing does in seconds what I spend a week doing! I need it, set me up with it!" Next thing you know your little tool has to be user friendly, go to printers, be in colour, etc. Continually piling in changes makes it fragile so you step back, figure what it all needs to do and how to achieve the goals and then recode, with an eye toward more scalibility and unforeseen features later.
Re:Well written, but (Score:5, Interesting)
(http://www.samkass.com/blog | Last Journal: Thursday May 12 2005, @02:40PM)
But IE is part of the OS... just ask Microsoft. Seriously, though, back when my previous company had to deal with IIS before moving to a more secure/sane server, one of the server bugs was fixed by upgrading IE on the server, so IE-is-fundamental-to-the-OS is frighteningly close to actual truth with Windows.
Also, I'd like to see the statistics you cite that say that Windows hasn't been hit statistically more than MacOS. There are no MacOS-specific worms or viruses "in the wild", so it's hard to come up with the sigmas for what would be "expected" for what a comparable OS should expect.
Behavioral flaws, not just technical (Score:5, Insightful)
(http://kadin.sdf-us.org/ | Last Journal: Tuesday October 16, @01:46PM)
What struck me is that there are definitely seeming flaws in Windows that make it insecure as-is, but that it doesn't have to be this way; Microsoft has chosen and continues to choose to operate in such a way that exacerbates rather than minimizes the effect of many of the inherent weaknesses of the platform. A similarly designed system, managed and documented differently, would probably be less problematic.
Re:Well written, but (Score:5, Insightful)
I am a Mac user, and I think it is an inherently safer platform design than Windows. But as was mentioned in a recent SANS newsletter, Apple has on occasion had problems with security issues that were resolved long ago on BSD proper and on Linux. So while it's true that OS X is "built upon a known animal", they haven't always been as consistent as I'd like with regard to learning from other groups' mistakes.
Re:Well written, but (Score:5, Funny)
(http://localhost/)
I think you are confused. Leopard, Tiger, and Jaguar are all Mac operating systems...
Re:Well written, but (Score:5, Insightful)
This is, I think, the best summary I've ever read of OS X's inherent security advantage. No OS could really succeed and be 100% air-tight at the same time, IMO. And user- and developer-friendliness does often mean compromises that lead to security problems, but the article that this discussion refers to covers a lot of it well and MECC (parent) summarized succintly and effectively.
OS X, as an OS, has more common sense built-in.
Re:Well written, but (Score:5, Interesting)
(http://www.buran.org/)
Because they don't force you to use any of it. You can delete any of the utilities that you want. Don't want ichat? Trash it.
On the other hand, good luck getting rid of Windows Messenger. It's even hidden in Add/Remove Programs and fixing that requires a hack well beyond most users.
Don't want to use Safari? Make it go poof.
On the other hand, you CANNOT get rid of Internet Explorer. And that's bad. IE is full of security holes and you can't get rid of it. Safari is far safer, and you can get rid of it.
What hypocrisy was that, again? There's a damn good reason MS gets blasted and Apple doesn't. (Well, it does, but nowhere near as much, and I just explained why.)
Re:Well written, but (Score:5, Informative)
simply removing a filthy icon from the QuickLaunch menu while leaving the whole pile of unsafe, vulnerable infrastructure INTACT, completely BETRAYS the meaning of the word UNINSTALL.
Sheesh... and people talk about Jobs's Reality Distortion Field
Re:Well written, but (Score:4, Informative)
On the other hand, you CANNOT get rid of Internet Explorer. And that's bad. IE is full of security holes and you can't get rid of it. Safari is far safer, and you can get rid of it.
Deleting Safari on a Mac is about as effective as deleting iexplore.exe on a Windows PC as far as getting rid of the browser is concerned. Sure, you've just nuked the front end, but the backend still exists in the OS and is not easily removed. Have you ever heard of Webkit?
WebKit != Explorer (Score:4, Informative)
(Last Journal: Sunday November 05 2006, @02:26PM)
well, (Score:4, Insightful)
(Last Journal: Wednesday September 20 2006, @10:30AM)
I would have though "(almost) no viruses" would have done the trick since OSX came out...
Or, we don't effectively force everyone to run as super user all the time - if you prefer
Re:well, (Score:4, Funny)
(Last Journal: Monday November 21 2005, @12:45PM)
Re:well, (Score:5, Interesting)
(http://slashdot.org/)
But what if Microsoft offered it all together? (Score:4, Insightful)
(http://www.gentoo.org/security/en/glsa/index.xml)
Don't you think that if Microsoft offered this that everyone would cry monopoly? Actually, I've seen other people on Slashdot cry this before at the announcement of Microsoft's OneCare program, which isn't even bundled with the OS!
Re:But what if Microsoft offered it all together? (Score:4, Insightful)
(http://www.desirecampbell.com/)
And it's not as simple as a monopoly being held to "higher standards", they're held to "completely different standards". This is a prime example, bundled security applications. Apple can bundle whatever they want with their OS - Microsoft can't. Microsoft can't even improve the damned search function without an investigation.
Apple holds more power over their products than Microsoft has over theirs. Apple sells their software with their hardware. Microsoft just sells software. No one says anything bad about Apple forcing its customers to have their proprietary security software bundled withe the OS. Microsoft, on the other hand, is forced by the EU to provide versions of Windows without IE and Media Player. Apple puts in Spotlight, and people laud it. Microsoft tries to put the same function into Vista, and they get investigated.
The bottom line is this: If you laud Apple for including more and more useful apps in System Software, then you can't turn around and troll Microsoft for doing the same thing. You can't complain about Windows being worse than OSX and then complain when they try to make it better than OSX.
Re:But what if Microsoft offered it all together? (Score:4, Interesting)
Re:But what if Microsoft offered it all together? (Score:5, Funny)
(http://www.elflord.net/ | Last Journal: Monday March 19 2007, @10:35AM)
They're just damned.
Damned Microsoft.
Re:But what if Microsoft offered it all together? (Score:4, Informative)
Psst. They're called OEMs. Try buying a PC from a big-box store these days without Mcafee or Norton on it.
Re:But what if Microsoft offered it all together? (Score:4, Insightful)
(Last Journal: Friday February 10 2006, @02:51PM)
Re:But what if Microsoft offered it all together? (Score:5, Interesting)
(http://www.kibbee.ca/)
Re:But what if Microsoft offered it all together? (Score:5, Interesting)
(http://slashdot.org/)
Microsoft has been declared a monopoly in Federal court, and found guilty of anti-trust offenses related to abusing that monopoly in violation of the Sherman Anti-Trust Act.
Apple, on the other hand, is not a monopoly, and hence it would be perfectly legal for them to bundle anything they damn well felt like bundling.
Why is this so difficult to understand? Microsoft, because of their market position, is held to a different legal standard. End of story.
Re:But what if Microsoft offered it all together? (Score:5, Interesting)
(http://www.killerdeathrobot.com/)
It's not difficult to understand; it's annoying because it's the wrong argument, and it really muddies the debate. We don't need to hold Microsoft and Apple to different standards to show that one is better than the other. There is nothing wrong with MS bundling software with their OS. What was wrong was that they were forcing companies like Dell NOT to include competing software (such as Netscape).
It's a moot point any way though, because in this case we aren't even talking about the right thing. As someone else mentioned, we're talking about a system that is built to resist viruses and such, not virus scanning software bundled with the OS.
Re:But what if Microsoft offered it all together? (Score:4, Insightful)
It's not difficult to understand; it's annoying because it's the wrong argument, and it really muddies the debate. We don't need to hold Microsoft and Apple to different standards to show that one is better than the other. There is nothing wrong with MS bundling software with their OS.
I 100% disagree with this. It is illegal for MS to bundle any software with their OS, for which their is a separate market (like antivirus). Anyone who understands the economic models of monopolies should understand why. We are holding MS and Apple to the same standard. Neither can bundle products they have for which there is an existing market, with a product they have that is a monopoly in a market. It is illegal for MS to bundle antivirus software with Windows. It is not illegal for them to bundle antivirus with their mice or MS Office. It is legal for Apple to bundle antivirus with their OS. If Apple is ever ruled to have a monopoly on iPods it will be illegal for them to bundle antivirus with iPods (They are around 70% of the market now and some courts have already begun investigating the possibility).
Re:But what if Microsoft offered it all together? (Score:4, Insightful)
The issue is persuading other companies who sell your product not to sell a competitors product.
The issue is, quite simply, doing anything that provides your product an advantage over another product, because you have a monopoly on a different product. It does not matter if it is coercion, bundling, or tying. Here's the test. Look at two products in the market, like IE and Firefox. Does IE gain an advantage in the market because MS bundles it and thus all developers know users will have it available? Yes. Are they able to do this because of their Windows OS monopoly? Yes? Without having a monopoly, can the Firefox team make sure every Windows box has a copy of Firefox on them, without costing them any money? No. Thus it is a violation.
Do you have cites for your claims MS has settled with several companies over Wordpad?
I don't have citations, just something I think I recall from and article in passing. MS has settled a lot of these lawsuits, most of them with the inclusion of a nondisclosure clause. It would take a lot of digging to find any given specifics, if it is even possible.
And while having 70% marketshare may have potential for monopoly influence, it doesn't mean you are imposing your will on vendors - it means you probably have enough clout to do so. I mean, anyone has the potential to be a murderer, but we aren't all murderers now, are we?
Here is where you are making a false analogy. Being a murderer is illegal, by definition because it means you have committed murder, which is a crime. Being a monopolist is not illegal because gaining a monopoly is not illegal. Abusing a monopoly is illegal. Thus a more proper analogy would be Monopolists are like people who have baseball bats. They both have the power to commit a crime. If a baseball bat owner beats someone to death or if a monopolist bundles another product with their monopoly product, then they have committed a crime.
In the case of Apple, the courts aren't ruling if Apple has beaten someone. We know Apple is bundling. The courts are ruling if Apple has a baseball bat and is thus guilty of armed assault instead of simple assault. They are measuring the size and weight of the stick Apple has to see if it is legally a weapon. (To be a more perfect analogy, beatings would have to not be a crime unless committed with a weapon as bundling is not a crime unless the involve a monopoly product.)
Re:But what if Microsoft offered it all together? (Score:5, Interesting)
Also, there's a difference since in the Apple world, there isn't an antivirus or antispyware market, but in the Windows world, there is a huge market that's been around for over a decade, so it's a big deal when Microsoft starts bundling its own versions of these services.
For the record, OS X ships with no antivirus software. Not needed.
Re:But what if Microsoft offered it all together? (Score:4, Interesting)
(http://www.gemstate.net/friends | Last Journal: Tuesday September 11, @10:32AM)
It has nothing to do with Microsoft not offering anti-virus, anti-spam, encryption....
The problem has everything to do with Microsoft having to keep backwards compatibility!
Windows wasn't designed to be used on a totally open network. It was meant to be a single user OS that ended up being used as a server and then being hung on an insecure network we call the Internet.
Running windows with less than administrator rights is a pain.
Installing software without administrator rights is impossible.
The problem with Windows security is the same problem that Microsoft has with IE7 not following standards.
They refuse to give up on backwards compatibility to fix fundamental flaws.
The reason that people keep using Windows is because their old software works. That is Microsoft's big advantage in the market place. They are not going to loose that to fix security issues.
Obligatory apple joke (security related) (Score:3, Funny)
Finding half a worm in your Apple.
Microsoft is just too nice? (Score:4, Insightful)
(http://www.bernsrite.com/ | Last Journal: Monday June 27 2005, @11:36PM)
So if they bundled everything you list (anti-virus, anti-spam, encryption, etc.) into the operating system, you don't think they'd be accused of illegally leveraging their monopoly advantage? Just look what happened when they integrated a web browser into the OS a few years ago.
Re:Microsoft is just too nice? (Score:5, Insightful)
(http://nekobox.org/)
1) Threaten Compaq with withholding OS licenses if Compaq installed Netscape Navigator as the default browser
2) Threaten IBM with increased OS license fees if IBM did not drop OS/2
Those were the lynchpins of the antitrust lawsuit. If Microsoft had ONLY bundled, they would not face monopoly abuse charges. Then HP could have UNBUNDLED IE and installed Firefox, or IBM could have unbundled Windows and installed OS/2.
Apple's bundles can be unbundled. That is the critical difference. Drag Safari, Mail, Virex, Appleworks, iCal, and Quicktime to the trash, and the OS still works.