Apple Fixes 'Misleading' Leopard Firewall Settings 264
4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."
Re:As usual, other considerations... (Score:3, Insightful)
For the record, I saw the writeup and was hoping you'd have written a response, and am glad to see you did. Those of us who are capable of understanding facts and logic, rather than knee-jerk pretending that "w000, this is just as bad as Vista on a good day" and all that, appreciate your time and efforts.
Re:As usual, other considerations... (Score:5, Insightful)
But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?
Seriously, if an MS-shipped firewall decided (without telling you) that 'block all incoming connections' really meant 'block all incoming connections except for MSN Messenger and oh, I don't know, maybe Media Player', would you be making excuses about how it was really necessary and understandable to deliver the "Microsoft Experience(TM)"?
No, I didn't think so either.
Yes, Apple should be applauded for recognising a problem in their software, as well as a problem in the way their software presents itself, and fixing it.
But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.
Re:As usual, other considerations... (Score:3, Insightful)
MS has a well deserved crappy reputation. Apple has a well deserved good reputation.
Historically speaking, MS would avoid, pretend it doesn't exist, refuse to take the blame, and release a patch 2 weeks later that just happened to fix this issue.
Yeah,Apple screwed up but they are fixing it and the admit it. Integerity can go a long way.
In your world it seems nothing and nobody can every be forgiven for making a mistake. How sad.
Appl ewas very clear about what it does:
The 10.5.0 Application Firewall blocked all but:
Processes that are running as UID 0
mDNSResponder
The 10.5.1 Application Firewall blocks all but:
configd, which implements DHCP and other network configuration services
mDNSResponder, which implements Bonjour
racoon, which implements IPSec
Re:As usual, other considerations... (Score:3, Insightful)
Re:Does it move files correctly? (Score:3, Insightful)
Re:As usual, other considerations... (Score:2, Insightful)
MS did exactly the same with Windows. All those nice important services that are on and open and insecure just for the user. Comcast do the same for all their users - let you do what makes sense and block everything else. Sony also did what makes sense with their rootkit - after all a CD shouldn't be played i a computer, right, that's what a CD player is for?
And all LIED about it and misled paying customers.
But this is Apple so it's different right? Must be hard to take when you see your God making mistakes and deceiving you. Hypocrite!
Re:As usual, other considerations... (Score:4, Insightful)
Umm, people were screaming themselves blue about how Apple's firewall was broken or fundamentally flawed or misleading. There were dozens of articles about it and hundreds of postings in discussion groups.
The difference between Apple and MS (or for that matter Linux developers and MS) is that Apple does not have a monopoly so they actually have to listen to their users and make changes to make them happy. They very quickly made sensible changes to make it clearer how the firewall behaves and addressed pretty much everyone's concerns, even those of people who really didn't know what they were talking about.
Security is a journey not a destination. Security is about trying to allow users to do what they want while stopping things they don't want from happening. There will always be security holes and room for improvement. Concentrating on mistakes made by any vendor is counter productive. So long as the vendor responds and fixes the problem and takes a responsible attitude, they're doing fine by me.
Re:As usual, other considerations... (Score:4, Insightful)
There is a significant difference between Apple's firewall settings and MS's use of DirectX. Apple changed the way the firewall worked to be application level and sandboxed the services that it let by the firewall. Unfortunately they misleadingly labeled that setting. When users tested it, they became upset. Apple needs to keep customers happy in order to make money, so they changed it to conform to what customers wanted. It is good business and the way the market is supposed to work. Apple wants to make money, so acting out of what could be called avarice, they give users what they want.
Microsoft has monopoly influence in the desktop OS market as well as a few other markets. They included ActiveX partly to motivate sales, but also partly to try to make Web applications tied to their monopoly to lock in customers and help leverage that OS monopoly into a Web monopoly and into the online media and services markets. It makes them a lot of money, even if it brings negative consequences to users. Users don't want to be locked in making migrations and cross-platform tools hard. Users don't gain benefit from MS taking over other markets. Because MS has a monopoly, however, it doesn't matter what users want. Since they don't have to keep users happy, MS has literally no financial motivation to fix the security problems ActiveX creates and they have significant financial motivation to not fix it.
On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security. They just aren't motivated.
Re:As usual, other considerations... (Score:5, Insightful)
Re:Nice. (Score:3, Insightful)
I think his comment was reasonable. Not at all lunatic fringe like some Roughly Drafted stuff can be.
Oxymoron (Score:2, Insightful)
Hopefully you can just turn the bloody thing off.
"Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them.
For those of us who actually have firewalls, having the operating system muck things up with a "software firewall" is just a nuisance. For those who don't, it's a false and dangerous sense of security.
Re:maybe not (Score:3, Insightful)
I'd argue that the GUI an CLI are both standard interfaces to the firewall. A flaw where either of them incorrectly informs the user about the settings is a flaw in the firewall. I'd further argue that since the GUI is the more used interface, the flaw reflected there is more serious than a flaw in the CLI.
Re:Oxymoron (Score:2, Insightful)
Re:As usual, other considerations... (Score:3, Insightful)
On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security.
I've been running windows since Windows 3.1 and have never been infected by a virus, spyware or rootkit and nor has my installation ever been compromised. No matter what horror stories you have about Windows they are almost always the result of somebody's stupidity. If you aren't competent enough to secure your installation, get someone else to do it, stop blaming the OS. No *OS* can ever be 100% secure.
Re:As usual, other considerations... (Score:5, Insightful)
Funny. Technically, I don't need to use the Web at all in coffee shops, so by your argument I should block all traffic. On the other hand, I prefer my computer to be functional, when that functionality does not pose a significant security risk. Guess what, I also have SSH enabled for access, even though I only need to access it occasionally. The service I originally referred to (Bonjour) is unlikely to pose a security risk, especially since in addition to finding an exploit in it, an attacker would have to find an exploit in the Mandatory Access Control sandbox OS X runs it in by default. I'm a lot more likely to be exploited by an attack on my Mail.app than by an attack on Bonjour. Do you also advocate that I do not check my e-mail while at the coffee shop?
Screw that. Half the benefit of Bonjour enabled chatting is that I can easily talk to people I don't have in my "buddy" list while at conferences and coffee shops. Sacrificing function out of unjustified fear is not my cup of tea.
Umm, okay, then don't use it. Good luck finding a capable first party GUI firewall configuration tool on a platform that is not riddled with security holes.
Honestly, it sounds to me like you're looking for something to complain about. I really wish people with your sort of an attitude on security would revisit your basic assumptions. Security is about allowing users to do what they want with a system, and prevent things they don't want from happening, especially without their permission. Reducing functionality just means users turn off security features or move to a system where they have more functionality. If I had a dollar for every time I've seen someone at a LAN party shut off their firewall completely because it was restricting something they wanted to do and was too hard to enable just that application/behavior... well, I'd have enough cash to buy a good steak and some scotch anyway.
Re:As usual, other considerations... (Score:5, Insightful)
I disagree that Microsoft doesn't have any financial motivation to fix the problems in ActiveX and their various technologies. Take a look at IE7. Where are all the ActiveX exploits that target IE7? Microsoft has a HUGE installed userbase that depends on IE/IIS and Visual Studio for development. They have a huge incentive to keep that cash cow secure.
From real world experience, I can tell you that Microsoft does just fine with security. I have hands on experience with literally thousands of desktops and hundreds of servers running 2000/XP/2003 and zero security incidents. With good firewalls, security policies, group policies, WSUS, AV, etc. it is possible to secure Microsoft networks. You just have to know what you are doing and stay abreast of the latest developments. It also helps if you use some open source tools like Snort, nmap and the like to keep an eye on what is going on behind the scenes.
The original point of my first post still stands though. As Apple moves forward, they are going to have to face the same challenges that Microsoft faced... balancing the user expectation of an easy to use interface and "it just works" mentality with security needs.
Re:As usual, other considerations... (Score:3, Insightful)
Making money and maximizing market share is fine, when they lead to increased efficiency and innovation in the market. That is why capitalism is so successful, because in a capitalist system competition for custom leads to innovation and efficiency. The problem is monopolies break capitalism and lead to reduced innovation and inefficiency. It is sort of like combining the worst aspects of socialism and the worst aspects of capitalism. That is why abusing monopolies is illegal, pretty much everywhere. They were made illegal when giant companies lowered the quality of life significantly for the average person.
No it was just made artificially profitable, breaking the normal way innovation works in capitalism. Monopolies don't have to force anyone, all they have to do is undermine the normal functioning of the market.
Bundling is a classic form of tying, as called out in US antitrust law.
Sigh, way to completely miss the point.
And did Sun have the option of simultaneously bundling Java with every desktop OS, while at the same time bundling a broken version of ActiveX? No, they didn't because MS had a desktop OS monopoly to leverage while Sun did not. Thus there was no fair competition between the two for many years. You'll recall MS lost in court eventually on that count? I take it you did not understand why?
Great way to illustrate my point. MS does not have a monopoly on server OS's, they have to compete with Linux. They do have a monopoly on desktop OS's and they are hacked en masse every day.
Windows is less secure, demonstrable simply by the numbers hacked. For real users, Windows is insecure by comparison as any competent and objective securty expert will tell you.
Good for you, too bad that is not the general case. Most people are not so lucky or careful.
No, but it could be a lot better and the average person could have a choice of which OS comes with the computer they buy so they can make purchasing decisions based upon which is more secure. Are you telling me you honestly don't think security would be better if you had a choice between Windows A or Windows B and could vote with your wallet as to which is more secure? It is a rare user (like you) who argues against choice. Someone drank the kool-aid.
That's not the product. (Score:4, Insightful)
That's not the product. The product is the analysis and commentary and opinion posted ABOUT the content. Knowing viewpoints and trends can be as valuable as the content itself, if not more so.
Re:As usual, other considerations... (Score:3, Insightful)
Yup, one year after Sun introduced a Java runtime for Windows and MS started bundling a broken version to undermine the platform (perhaps you recall the antitrust conviction).
... and to make sure those applications were tied to Windows so that people could to easily target multiple platforms using the Web, a strategy they still pursue with their refusal to support newer Web technologies, or even older and capable Web technologies fully and in accordance with the specs.
I can and do, however, argue that it only allowed developers to get their content to Windows users, not to all Web users and I can further argue, that was very intentional.
MS has incentive to appear to be making security improvements and actually are making a few in response to competition from Linux on the desktop in corporate environments. Some of their general security work is helping, but in truth since most users have no other option, they just don't care to devote the resources, especially when they can use them to expand into console gaming, or online media delivery, or publishing tools, or one of the many markets they don't already have locked-in.
They have incentive to keep IIS secure because they have to compete with Apache in the server space, but not really end users of Windows on the desktop.
Oh, I think they already are facing that same problem. They're a smaller target, but they also have a better track record so far. My point, however, is that Apple and Linux will both do a better job of it than MS, simply because they have more significant financial motivations. The best way to fix MS's security problems is to provide them with similar motivation.
Re:As usual, other considerations... (Score:1, Insightful)
No, Apple wasn't very clear at all about what it did. In fact, its option, while having the virtue of simplicity, was incredibly misleading. Some would even say outright wrong and dangerous.
To most people in the English-speaking world, means that all connections are blocked. Not most, not "non-critical" ones, but all connections.
Absolutely, to their credit, Apple is jumping on this and fixing it. Great. Wonderful. That is indeed one of the reasons they have a good reputation.
However, to try and claim they were very clear... sorry that comes off as boosterism, or someone who really doesn't remotely grasp security issues. Or possibly someone who doesn't speak English very well and understand the meaning of the phrase "block all connections".
If you're the third, then, sorry, your otherwise reasonably well-written post lead me to assume you do grasp the rudiments of the English language.
If you're one of the first two, think about how you'd respond if this were an OS you don't happen to use or favor.
One of the problems of course is that computer systems and networks are quite complex. We're trying, as engineers, to design systems that are robust, complex, reliable, secure, and easy to use. I'm not sure all these endeavors are simultaneously feasible.
Apple slipped up in a somewhat ridiculous (but easy to fix) fashion here. It happens. Glad to see they're rectifying it fast. But to try to pretend there's no problem, or that it was entirely clear... heh.
Re:As usual, other considerations... (Score:5, Insightful)
Well, I've been working at a network security company for the last four years and have been reading detailed weekly reports for internal consumption, written by well regarded professionals. What, exactly is your expertise?
Everything has vulnerabilities. Linux and OS X boxes, have fewer, exposed for shorter periods of time, and less regularly exploited, especially in an automated fashion.
You did note that the new version of OS X ships with a MAC ported from SELinux and comes with all the services exposed by default preconfigured to run in sandboxes. And because it is included by default, unlike Linux distros, applications developed from now on can count on it and come preconfigured as well.
No, they're not because default Linux and OS X install have fewer exposed services and fewer known, unfixed vulnerabilities at any given point. Aside from that, most exploits are not directed, but automated and Windows is vastly more exposed to those attacks.
Please. The numbers belie your assertion. The average user, simply buying a Mac significantly reduces their risk of having their machine compromised.
Interested in finding Apple's place? Go to BlackHat, or DefCon, or one of the other big security conferences in the next year. When there, take a quick count of how many Mac laptops you see in use among security experts. It was upwards of 50% at the last one I went to, and it was a private conference for security experts at tier 1 network operators. Why do you suppose that is, because all those security experts are idiots and just not as brilliant as you are?
What /. does (Score:4, Insightful)
- Filter the news so I don't have to read everything on every site, but can hit one site for all (or most of) the tech stuff that's relevant for me
- Provide a somewhat civil way to discuss the news
I didn't pay, but I also don't block the ads, and I see nothing wrong with paying for it. IfRe:Oxymoron (Score:2, Insightful)
Re:pfft... (Score:3, Insightful)
---- The 'product' here is aggregated stuff that flows in _after_ it has been placed online elsewhere
No, the 'product' is the service of aggregating all that content in one place, so you don't have to trawl all over the net looking for new places to get your snark on.
Aggregation doesn't just happen. It takes back-end tools to select, organize, and present all that 'stuff that flows in'. The Slashdot team wrote the software, built the database, and maintains the network that keeps it all going. They also have a ten-year track record of selecting and aggregating stuff that geeks find reasonably interesting. If you think that's trivial or easy, go right ahead and start your own aggregation service. We'll see where you stand ten years from now.