A Closer Look At Apple Leopard Security 267
Last week we discussed some of the security features coming in Leopard. This article goes into more depth on OS X 10.5 security — probably as much technical detail as we're going to get until the folks who know come out from under their NDAs on Friday. The writer argues that Apple's new Time Machine automatic backup should be considered a security feature. "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X — perhaps in the history of Apple — from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system."
Security (Score:3, Insightful)
Re:Security (Score:5, Insightful)
It is basicly a case if one can say I am more secure then you then I win.
Re:Security (Score:5, Insightful)
Mod parent up (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Microsoft is free to use any and every security feature ever developed by the open source community. This includes virtually 100% of Linux/bsd's development and lion's share of OSX's security features as well.
The reason we can't say the same for a Microsoft->open source is because for a lot of security in windows...no one has access at all.
Re: (Score:2)
Re: (Score:2)
...tries to unlock it. Have there been any cases where merely installing third-party software on a machine caused it to be bricked on an update (and, if so, was it demonstrated that the third-party apps were the cause, and were there any cases of an unmodified iPhone being bricked by an update)?
Unlocking and jailbreaking are not the same thing.
Re:Security (Score:5, Informative)
On top of that Apple regularly credits security researchers and links to their websites in software updates when they report vulnerabilities to Apple. They work with the community, not against it.
You can work with Apple on these open source projects. The fact that you don't, and that you don't know about them in the first place probably means you aren't a programmer, and aren't really serious about contributing to open source. What you really like doing is feeling superior.
It's perhaps most telling that you use the iPhone as an example of why you're upset at Apple's lack of security. You have it all backwards. The issue with the iPhone was that there were security vulnerabilities. The iPhone was cracked with a buffer overflow exploit. Apple fixed the exploit, which broke hacked phones. They did not intentionally brick phones, and instead told people not to update if they had hacked phones. You're probably remembering the whole thing wrong because you were too smug to learn the facts. Hint: fixing buffer overflows is good security, not bad. Apple is under no obligation to preserve a buffer overflow on a product they ship. If you don't want a security hole patched, don't update the product.
Apple hasn't violated the terms of any open source license. They give back to the community. They maintain a number of open source products. You can be mad about the iPhone being locked, but that's a separate issue from security or open source.
Re: (Score:2)
Re:Leopard Screenshots and Tutorials (Score:5, Interesting)
Re: (Score:3, Informative)
Significance (Score:5, Insightful)
Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.
Re: (Score:2, Funny)
Don't you mean iUnix?
Re: (Score:2)
Re:Significance (Score:5, Insightful)
It wasn't a lot of people. It was a vocal minority, the same minority which swore up and down that they'd never touch Apple again after the Intel switch and who spend hours debating the tiniest "flaws" in OS X's GUI. In other words, people for whom computers are an obsession or a fetish.
The the rest of us--people for whom computers are tools used to make money--OS X, and the features it brought, were long overdue. The switch was entirely worth it if only for the addition of a modern memory susbsyetem to an Apple OS. No more preemptive multitasking and having to specify how much memory each application got.
Re:Significance (Score:5, Informative)
Re: (Score:2)
Re: (Score:3, Interesting)
I mean really...you think the people who even know about the term "preemptive multitasking" wasn't outnumbered by those who groused about how the new Mac upgrade ran a
Re: (Score:2)
I can completely recognize that 10.0 was pretty rough when moving from OS 9.
Old Macs had a flaw (yes, I said it) where holding down the mouse button would freeze the rest of the computer.
Including the network stack.
We noticed this because when the rest of the office would play MP3s from our graphics guy's Mac's shared folder, everyone's audio would randomly and simultaneously drop out. We eventually realized that it happened when he was holding Photoshop's menus open for a long time while he pondered which filter to apply to some image.
People who found 10.0 to be rough wer
Re: (Score:3, Interesting)
There were people who understood the flaws, but (correctly) thought that moving to OS X should not require giving up good performance (which took years to get back), or UI niceties like the way the classic Finder worked. As to the latter, unfortunately Steve apparently didn't like the old Finder and never allowed the OS X Finder to work the same way. Spatial mode is still broken to this day, the "Show Package Contents" feature is
Re:Significance (Score:4, Informative)
Definitely. The old OS model allowed certain shortcuts such as hacks that directly patched the code segments of other programs that were running to change their behavior. The new protected memory model flat-out makes that hackery impossible, so it was up to programs to add explicit support for message passing and other external control systems. There isn't a message passing system in the world that's as fast as just overwriting a destination application's buffers with new data.
That's just one example of why some things are inherently slower if done right. Sometimes it's just not avoidable. That doesn't mean that the new way is inefficient or bad, just different.
I was never into Macs back in the day so I can't comment on old vs. new Finder or spring loaded folders, etc., but I find it telling that the only people who seem to seriously dislike the new Finder are the ones who seriously loved the old one. To everyone else it's pretty spiffy and a reasonably good model of how such things are supposed to work. That is, I'm not at all convinced that the old Finder was actually superior; it's just that people liked it that way, darnit, and anything different is inferior by definition.
You're right: it doesn't. I'm not sure why you even brought it up.
The Classic interface (Score:5, Interesting)
Don't get me wrong, I still think OS X is better overall, because of its underlying architecture and a functional CLI, but the Classic Mac GUI had been honed incrementally over almost two decades before Steve just decided to bin the whole thing and reinvent the wheel. It was that interface which made the crappiness of OS 9 worth dealing with, despite the fact that you could hang the whole system by holding down the mouse button, and had to manually allocate memory, and everything else. It was the Mac's saving grace -- perhaps its only saving grace -- throughout the 'lean years' of the platform. And that's why a lot of users just never got over its elimination; it was, for many people, the only reason why they'd stuck around for so long.
There was no real reason to change it when the old codebase was dropped for NeXT's: even if none of the code needed to be kept, the interface guidelines that had evolved as best practices, arrived at by painstaking trial-and-error by generations of Mac programmers, could have been retained. What I think happened is that Steve Jobs wanted more eye candy, and wanted to make the entire desktop reflect the OS's "newness." It was a sales tactic, and although I don't think there's any debate that it worked, it was a pretty huge cost.
OS 9 was an operating system with a great GUI and a terrible backend; OS X had a great backend, but a GUI that was almost unusable at first, and which has only very recently come back on par with the Classic OS circa System 7.5 or so. (They just recently snuck the option-click-to-close-all-Finder-windows trick back in, which I believe originated on the IIgs, and was definitely missing for a while in early OS X versions...)
(Incidentally, the interface scizophrenia isn't limited just to the Mac OS; you also see this behavior in some of the major Apple apps [e.g. iTunes] -- every time there's a whole-number version increase, some part of the interface gets changed, apparently for the sake of changing it. It's as if they realize that some people won't believe that anything is different unless the widgets change, so they scramble everything around periodically, just to keep everyone on their toes.)
Re: (Score:2)
Re: (Score:2)
A large majority of MacOS 9 users migrating to Mac OS X thought that, while pretty, the Aqua UI was slow, bloated, and annoyingly shiny. They also gave most of the organizational features of the Finder a complete fail as well. Gone were spring-loaded folders, pop-up-tray tabs on the desktop, hierarchic menus, the app-switcher menu, and a host of other thin
Re: (Score:2)
The switch was entirely worth it if only for the addition of a modern memory susbsyetem to an Apple OS. No more preemptive multitasking and having to specify how much memory each application got.
Yeah, that and security-- including real multi-user stuff. There were always some users who got stuck on the OS9 crap. They'd get their knickers in a twist because there was some missing feature like the color "labels". And then there were the OS9 power-users who had figured out how to do all the insane old Mac
Re: (Score:2)
Not Me (Score:2)
The OS X came about. Systemwide crashes are a rarity, and in my exper
Re: (Score:2)
Re: (Score:2)
Re:Significance (Score:5, Interesting)
myself, i would consider the shift in architechure a greater historical shakeup. it's still amazing to me apple has shifted their core processor/architechure setup twice, including an emulation layer (each time) to ease transition. i had (and still own) a Motorola Mac (SE/30, Moto 68030 CPU) and remember the titanic shift it was migrating to the PowerPC. And, more recently, shifting from the Power/RISC platform to Intel. I think Apple's continued demonstrated ability to shift its underpinnings with damn near nary a disruption is scary impressive.
-r
Re: (Score:2)
OK, we'll say UN*X instead. For many purposes, being UN*X is good enough - for example, no Linux distribution I know of is UNIX, none having passed the SUS validation suite, but a lot of stuff written for UN*X Just Works.
Security Conserns of Time Machiene? (Score:3, Interesting)
While I do agree having good backups is important part of security... Perhaps just perhaps because it is so easy there is a security problem with it.
Re:Security Conserns of Time Machiene? (Score:5, Insightful)
If it is an important file, why would you drop it in a public location in the first place, instead of just transferring it directly to that user or putting it in a password protected location or them? The scenario you envision is already a security problem because you're posting private data in public temporarily. I'd argue the right solution, is not to do that at all.
Re: (Score:2)
Re: (Score:2)
I very much doubt this will be the case. To my mind, Time Machine looks an awful lot like a pretty wrapper around a snapshot function, similar to that found in modern logical volume managers and SAN products. Sun's ZFS has such a function, and Apple have licensed ZFS for inclusion in Leopard [news.com].
Such a system generally works at the block level (with LVM), though with the filesystem integration ZFS gives it could probably operate more efficie
Re: (Score:2)
Re: (Score:2)
Sure you can argue the correct solution but, my way is the easier solution... Given most people they will go with the easy solution. Put it on a public location turn on file sharing tell them to go to this address, then turn it off after they got the file, delete the file from that dir and you are all set.
Or easier yet you can include it in an IM chat or e-mail, which is what most people do these days and which is no less secure than what you describe.
For most cases it will take a while for a hacker or whatever to find the file and get it, durring the 10 minutes it is public.
Sure, but you're advocating lousy security instead of real security. Do tell, how is your method "easier" than e-mail or chat file transfers?
GUIs are prone to errors ... (Score:2)
GUIs are prone to errors, just like consoles. All that has changed is how the error manifests. When your finger slips at the console you get a typo. When your finger slips during a drag you may inadvertantly issue a mouse up and drop the file being moved prematurely, in the wrong folder. It can be a PITA when you were dragging over a bunch of subfolders in a list view.
Re: (Score:2)
On the "777" issue, I don't think the backup snapshots are writable in the general sense, so it wouldn't much matter if your backup of a file had writable perms. What you're probably more interested is a file you initially created as 755 and later changed to 700 (which is basically the same issue as your "accidental publication" concern). The answer is that Time Machine allows you to explicitly ask it to delete all historical copies of a given file, for precisely these kinds of reasons.
Re: (Score:2)
Time machine isn't a feature that "someone" can run against your network drives. Time machine allows you, the operator, to use a second hard drive to maintain snapshots of the drives that you're using. Since the snapshots are on a separate drive, there's no risk that someone accessing your system remotely will have access to files that you've removed, or whose permissions you've changed.
Bravo! (Score:2)
Also, Time Machine is a great forensic tool.
Overall, of course, I'm lauding the article more than 10.5, since I'm unaware of any of these features being truly new to the IT world.
Evil bit? (Score:5, Funny)
Wait... don't tell me they implemented RFC 3514 [wikipedia.org] .
Re: (Score:2)
Double-click program downloaded from the internet
Time machine begins to backup your computer
Floyd says, "oh boy, are we going to do something dangerous now?"
Backups as Security? (Score:2, Interesting)
Although I am a fan of backups, this is really silly. Even if we assume that users have Time Machine turned on, that they have external media on which to back up, that they manage to actually have everything turned on and hooked up to do the automated backup, there's still o
Code randomization a bad idea (Score:2)
"Code randomization" is a terrible idea. Virus writers will write something that searches around for the right place to patch. Developers will think buffer overflows are now OK, and write worse code. Worst of all, bugs become nonrepeatable and harder to debug. (Great for tech support. Much harder to pin blame on the vendor now.)
Re:Code randomization a bad idea (Score:5, Informative)
No, they won't be able to do that. At that point, they haven't gained execution yet.
Buffer overflows require you to jump to code which is in a known place in memory (usually libraries), which in turn slingshots you back to the exploit code stored on the stack (or other). Without knowing where to jump to, your malicious code will just sit there in memory, not doing anything.
Re:Code randomization a bad idea (Score:5, Insightful)
Virus writers will write something that searches around for the right place to patch
It's not quite that simple. Virus writers have a practical limit of how much code they can squish into a buffer overflow (which reduces the effectiveness of a NOP slide) Not only that, protected memory operating systems will bomb out if you start randomly poking at memory addresses. Since the addresses are randomized, you don't really know where to start looking which means it becomes a probability game of how many valid addresses the code your looking for could be at compared to the total address space.
Developers will think buffer overflows are now OK, and write worse code.
Developers have known about buffer overflows for years, and people still use sprintf over snprintf. I doubt anyone who is doing any serious coding will look at ASLR and say, "Hurray! We can forget about string validation!"
Re: (Score:2)
Re: (Score:2)
char buf[1024];
snprintf(buf, "Logging started, argv[0] is %s", 1024, argv[0]);
and then later, I'll output it to a file or something. It's a bad example, but doesn't using the 'n' version of sprintf keep people from filling buf outside its bounds?
How does code randomization help? (Score:2)
Re: (Score:2)
Re:Code randomization a bad idea (Score:4, Interesting)
Re: (Score:3, Informative)
- Do you have any idea how less vulnerable you are to an attack when the attacker can't get you in 1 hit? A networked-based attack would essentially have to flood you to get the right address, and bandwidth limitations could prevent them from ever doing it (searching through a multi-gigabyte address range a few dozen bytes at a time takes a *long* while when you'r
Re: (Score:2)
Brilliant solution. All they have to do, in order to run the code that "searches around," is run some code that searches around for the right place to patch. But to run that, they first have to run some code that searches around for the right place to patch. But in order to run that, they have to--
STACK OVERFLOW! User Sloppy DoSed.
Oops, I guess it worked, after all.
What about the insecure default settings? (Score:2)
I have been given to understand that one of the problems with OSX is that in order to make some legacy software work such as applescript, apple had to make a few file settings more open than they should be.
The big example is the one which allows a USB drive with a correc tly set up copy of OSX on it to automatically become the boot drive with full root access to all drives on a restart. IIRC there's even a company that sells these things pr
Re:What about the insecure default settings? (Score:5, Insightful)
Re: (Score:2)
The only other ways to boot from an external disk if there is an Open Firmware is to use the Startup Disk pane of System Preferences (requires admin password) or to use the bless command in the terminal (requires sudo / root access).
Oh, and for those of you that
Re: (Score:2)
This is or has been a known problem on a few Linux distros as well. Still IMHO it should be fixed. There's a big difference between surreptitiously slipping a flash drive into a slot for a minute or two and taking the lid off a machine. Especially
Re: (Score:2)
Many of these approaches have already failed (Score:3, Interesting)
I wish that Apple would decide to photocopy good ideas from Microsoft rather than bad ones. The single set of application bindings for helper applications and URL handlers? That comes from Windows. The idea of giving users the opportunity to open potentially hostile files directly from mail and browser software? That comes from Windows. Open Safe Files? That comes from Windows. Popping up dialogs before automatically doing stupid things, instead of not automatically doing stupid things? That comes from Windows.
The last straw for me was when Safari on OSX warned me that I was downloading an EXE file because it's executable. Not that I was running it. Just that I was downloading it. Holy Mother of Turing!
*sigh*
At least they don't have anything like ActiveX yet.
Feature Now - Is there a hidden camera? (Score:2)
Re: Vista Previous Versions (Also in 2003 Server)
Some users will find the feature objectionable because it could give the bossman a new way to check up on employees, or perhaps it could be exploited in some nefarious way by some nefarious person. Previous versions of Windows were still susceptible to undelete utilities, of course, but this new functionality makes browsing quite, quite simple.
From today's article:
The writer argu
Re: (Score:3, Informative)
Here try this...
Instead of 'Volume Shadow Copy' introduced in WindowsXP/2K or 'System Restore' introduced in WinME and effectively in WindowsXP; Go look up 'Previ
Re:WTF??? (Score:5, Interesting)
Apple just made it easier to recover deleted files, if you're using backups. If you're not using backups, there is no problem. OS X has also long had a "secure delete" option that not only deletes the file, but writes over it with random data multiple times, ala DoD requirements. I'd be willing to bet that also does the same on your time machine backups.
Re: (Score:2)
Re: (Score:2)
We won't know for sure until it comes out and someone tests it.
TM has that option (Score:4, Informative)
It's such an obvious feature it's no surprise it's included. This is versioning 101 stuff.
Re: (Score:2)
Watch the Apple leopard video. I believe in there, they talk briefly about how TM has the option to permanently remove all versions of a file. It should also be mentioned on the TM feature page Apple has on the web site... in any case it's possible.
It's such an obvious feature it's no surprise it's included. This is versioning 101 stuff.
How do it know? When is a file a version and not a new one? For example if I have a configuration file for some data processing program I use. I edit it in different ways for different runs. Is this a version or a different file. Or how about a generic reference letter I go in and change the names in for another use. version or different file? What if I move or copy a file. Are these versions?
Re: (Score:2)
That's easy. It tracks the changes to the files. If you create a new file by using "save as" that won't be deleted and neither will it's history, but that is obvious because the original file still exists. If you move a file, it is still the same file. If you copy a file, you've made a new file, based upon the old one.
hardlinks (Score:2)
How do it know? When is a file a version and not a new one?
That's easy. It tracks the changes to the files. If you create a new file by using "save as" that won't be deleted and neither will it's history, but that is obvious because the original file still exists. If you move a file, it is still the same file. If you copy a file, you've made a new file, based upon the old one.
Okay try this one on for size. Make a hard link of a file. Now edit one of the hardlinks and save it (not save-as, just save). Now which one is the copy? From the file systems POV the edited one will be a copy. But from the users point of view it might be the original, especially if they had no way of knowing the hard link had been made.
For example, since I don't have Time Machine yet I currently snapshot my home directory by making a image of it populated by hardlinks. this happens in the backgrou
Re: (Score:3, Informative)
There are no "copies". You had one file that you modified. This would be reflected in Time Machine by simply re-creating the two hard links you had to the same file.
From the file systems POV the edited one will be a copy.
There are no copies, there is one file (from the filesystems point of view). Try it and look at BOTH hard links.
The save will sever the
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There is a greater risk for many people in lack of backups vs. outside threats who have sufficient access to the machine to see data we've deleted without bothering to secure delete it or dele
Re: (Score:2)
Suppose you were writing a letter to an old friend and, in a moment of weakness, add a paragraph on how you still have a crush on her and would like to meet. Later you think better of it
Delete Instructions (Score:5, Informative)
Here are some step-by-step directions if you really need it: Leopard Time Machine: Delete Files or Folders from Backup [tech-recipes.com]
AC
Re: (Score:2, Informative)
Re: (Score:2)
Security hole from hell? Okay, if a person has that kind of access to your machine, your files are really already compromised; cause unless you frequently leave your Mac out in the open with the root password pasted to it, people will rarely get to the point where they can recover incriminating files. On top of that, you can control what time machine does and does not back up.
Re: (Score:2)
I'm sure the OS X implementation will be better. But it will be funny to watch the backpedaling that ensues, because it was always the idea itself that was inherently flawed, it was argued. Users don't know what exactly they just downloaded does.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A LOT of Windows programs are programmed with the assumption that the user is running with full or almost full privileges because that makes life easier for newbie programmers, and that's how things were designed back in the 9x days.
Most MacOS X programs are designed to run with low privileges and only prompt for privilege escalation when it's really really needed.
Because of this, my guess is that it will be a much
Re: (Score:2, Insightful)
So don't worry, you will get the same story here.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Using fanboy is bad enough, fanboi should be beyond the pale. It's usually a precursor to irrational rants based on an imagined foe (in this case the 'mac fanboi'). At this point I thought you'd lost all credibility.
Re: (Score:2)
They want OS X to be realed for common hardware not realize that apple tried that (with their older OS) and it nearly killed them. And right now they are doing stellar, they way they are going now. Basicly they are just jelious that Linux isn't as good as OS X is.
Re: (Score:2)
Re:It's to bad that 10.5 is not comeing out for al (Score:5, Insightful)
I've heard this for years but I still haven't seen ANY hardware sample where Windows "just works". I'd put more value on the fact that Apple based the core of their OS on a unix-like system not the registry/spaghetti mess that has been windows for the past decade plus. I'm sure that eliminating poorly written drivers from the mix does help prevent some of the problems that plague windows but it's not the whole story by a long shot.
Besides, with that argument, Linux should be even more unstable because very few of it's hardware drivers are written by the device manufacturers - many are reverse engineered.
Re: (Score:2)
Re: (Score:2)
I've heard this for years but I still haven't seen ANY hardware sample where Windows "just works".
It really depends on what you mean by "just works". The truth is that Windows does suffer from supporting a larger variety of hardware. Specifically, if you have a Windows XP computer that crashes on a regular basis, there's a very good chance that you either have some sort of malware installed or else have some really crappy drivers. Ignoring malware and crappy drivers, Windows XP is actually a pretty sta
Re: (Score:2)
Comment removed (Score:5, Informative)
Re: (Score:2)
Expensive proprietary system? o_O Sure, it's infinitely more expensive than your OSS solution (technically), but a $150 price tag for the entirety of Leopard seems like a reasonably good deal to me. I think this is more of a "it's better than what we've got" feature than a "this is a guaranteed fool-proof backup solution". Of course it will start losing files if you push your disk capacity to its limits - but that's true for ANY backup method. If you ran out of CDs and had no means to get more, you'd start
Re: (Score:2)
Re:impossible; other strategies (Score:4, Insightful)
If you look at Apple's description [apple.com] of the time machine functionality, it's not possible for it to work the way they claim.
Could you please explain how you think Apple is claiming Time Machine works, and why you think it's not doing that? I ask because I'm not sure what you find objectionable about the page you linked to. In a simple answer to your question, you can use Time Machine to back up to either an external drive or a server. When space runs out, OSX will warn you, and you'll then be given the option of overwriting your old files. That's what Apple has said about running out of space. I would assume that you'd also have the option of adding additional storage (e.g. getting another external hard drive), and keeping your old backups.
It'll be a very sensible solution for 99% of users. (Yes, that statistic was pulled out of thin air. But it's very sensible.)
However, my OSS solution works much better for me than Apple's expensive, proprietary system would work for me.
Ok, that's great. Nobody is stopping you from using that solution, and Unison has been available on OSX for a while now. In fact, I don't see any reason to think you won't be able to use both Unison and Time Machine. So what's the problem?
Re: (Score:2)
Actually, it deletes entire snapshots when it needs the room, so you'll still have your 500kb novel as well as the video.
Time Machine is very similar to rsnapshot, except that it can use spotlight to determine which files have changed, an