backtop


Print 60 comment(s) - last by Pirks.. on Aug 7 at 7:35 PM

Security experts say poor driver design leaves doors wide open

Two security researchers from Black Hat this week revealed a method in which a MacBook can be broken into and taken control of. In fact, the intrusion method is at such a low level that even firewalls and anti-virus applications can't help. Based on flaws in wireless network driver design, Apple's line of MacBooks -- and MacBook Pros -- allows an attacker to remotely bypass the security of the laptop and the operating system.

Jon Ellch and David Maynor from Black Hat say that drivers for Apple's notebooks are developed not in house, but outside using contracted development companies. Ellch says that often times, these development people are under so much pressure from higher management to get working drivers so that companies can rush our products to market. Under circumstances like this, drivers for devices such as wireless network processors enter "the wild" in an untested state.

However, Mayner said that "we're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something." Mayner cites that many of Apple's commercials claim that Macs don't suffer from the same security vulnerabilities that PCs do but in fact, they do.

The team at Black Hat demonstrated that they could circumvent the Wi-Fi security and OS level security in a MacBook and within just 60 seconds, were able to take complete control of the machine. Black Hat demonstrated the technique through a pre-recorded video to prevent anyone from intercepting the wireless network traffic to deconstruct the attack and release it elsewhere. Black Hat said that it has been in contact with both Apple and Microsoft, because the vulnerability exists on both sides.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Amen
By TomZ on 8/4/2006 1:58:32 PM , Rating: 2
Bottom line is that all current-generation operating systems are developed using basically similar architectural designs and using similar programming and review techniques. None were designed with security as a primary requirement. Therefore, it is just sheer ignorance to believe that somehow one of the current generation operating systems would have fundamentally better security.

Of the mainstream desktop operating systems, the only one that I know of that has taken security seriously from the start of development is Vista. And even in that case, Microsoft is still bringing forward a lot of code from previous releases. But it seems that this operating system has the best hope of being more secure than its peers when it comes out. Of course, this remains to be seen.




RE: Amen
By HilbertSpace on 8/4/2006 2:40:00 PM , Rating: 4
Two words: Solaris 10


RE: Amen
By noxipoo on 8/4/2006 3:00:50 PM , Rating: 2
yes Solaris 10 is the answer to this problem, makes perfect sense on all fronts.


RE: Amen
By TomZ on 8/4/2006 4:50:22 PM , Rating: 2
No, it is not the answer to anything, since Solaris has almost zero desktop market share, its contribution to the problem of desktop computer security is also zero.


RE: Amen
By Pirks on 8/4/2006 8:11:45 PM , Rating: 1
Is Solaris 10 now more secure than OpenBSD? Care to prove it with some links?


RE: Amen
By phatboye on 8/4/2006 3:06:14 PM , Rating: 2
quote:
Of the mainstream desktop operating systems, the only one that I know of that has taken security seriously from the start of development is Vista. And even in that case, Microsoft is still bringing forward a lot of code from previous releases. But it seems that this operating system has the best hope of being more secure than its peers when it comes out. Of course, this remains to be seen.

You have got to be kidding me. Although I have to agree with you that ms is getting better at taking security more seriously, I have to disagree with you on the point that Longhorn (aka Vista) has the "best hope of being more secure than its peers when it comes out" simply because MS is adding so much new code into this new OS and this new code has not been field tested as much as other *nix OSes and even perhaps older versions of MS's NT kernel based OSes. From what I understand MS did a complete overhaul of its networking code and a made a lot of changes the drivers in longhorn. So when in the world are you getting this false belief that Vista will be more secure? I believe you are just another victim of MS's marketing machine which wants you to believe that Longhorn will be more secure when it probably won't be.


RE: Amen
By cgrecu77 on 8/4/2006 3:18:20 PM , Rating: 2
what he's basically saying is that Vista has the POTENTIAL to be the best in terms of security because it was designed with security as a primary concern. Obviously in the first year or two Vista will have plenty of patches (which is completely normal with a huge OS) but once most bugs are fixed the end result should be a very secure OS. MacOS is i n the end a *nix variant and all *nix variants have their share of bugs/viruses/exploits but OSX is the only one claiming that there are no viruses/security threats for it which is ludacris to say the least ... Apple is walking a thin line here because it could get sued for misleading claims, after all companies have be sued for much lesser reasons ...


RE: Amen
By phatboye on 8/4/2006 5:01:11 PM , Rating: 2
quote:
what he's basically saying is that Vista has the POTENTIAL to be the best in terms of security because it was designed with security as a primary concern.


Most *nix OSes were designed with security as a primary concern since day one, so how can you compare longhorn, which is very new, to some of these *nix OSes which have had security as a primary concern even before MS knew what security was.


RE: Amen
By TomZ on 8/4/2006 5:29:07 PM , Rating: 3
quote:
Most *nix OSes were designed with security as a primary concern since day one

No, they weren't. They were designed with security in the sense of prohibiting users from being able to do this-and-that. But they were all programmed in C/C++ without any understanding of the types of security attacks that are so common today, e.g., stack overflow and buffer overrun attacks. Unix and similar operating systems did not recognize this type of security at all - zero, nill, nada.


RE: Amen
By phatboye on 8/4/2006 11:48:32 PM , Rating: 2
quote:
No, they weren't. They were designed with security in the sense of prohibiting users from being able to do this-and-that. But they were all programmed in C/C++ without any understanding of the types of security attacks that are so common today, e.g., stack overflow and buffer overrun attacks. Unix and similar operating systems did not recognize this type of security at all - zero, nill, nada.


and you have just proved my point.
quote:
They were designed with security in the sense of prohibiting users from being able to do this-and-that.
Since back then there was not threats like viruses going around they made their OSes secure buy preventing the them from the only known threats they knew of back then. How could they protect the OS from stack overflow and buffer overrun attacks, back then no one really understood what those were so I would be hard to really protect against such things.


RE: Amen
By Pirks on 8/5/2006 12:51:50 AM , Rating: 1
quote:
Since back then there was not threats like viruses going around they made their OSes secure buy preventing the them from the only known threats they knew of back then.
Well, I told TomZ almost the same stuff, that Unix was designed with security in mind, but I should have added that "early Windows versions were designed with LESS security in mind than Unix" - that'd be more correct. If you compare Unix and NT they are pretty close, with NT having more flexible permission/access rights system than classic Unix, however MS made a major mistake by not following PHILOSOPHY of Unix and instead following DOS/Win95 philosophy - I mean they permitted users to live as system administrators, it was perfectly OK in NT, while was seriously frowned upon in Unix - so now we got the consequences - very nice NT security is rendered useless in MASSIVE amounts in all the millions of home PCs runnig XP or Win2K in admin mode, because it's so much easier.


RE: Amen
By masher2 (blog) on 8/7/2006 9:13:11 AM , Rating: 2
> "Since back then there was not threats like viruses going around they made [*nix] OSes secure buy preventing the them from the only known threats they knew of back then"

Um, the first computer viruses appeared in the early 1980s, long before Linux was written, and long before OpenBSD, FreeBSD, and nearly all other desktop Unix OSes were forked.

Even assuming your statement was correct, how do you feel Windows was any different? If the "only threat at the time" was from other users, then Windows, which began as a single-user non-networked OS, was immune by default.



RE: Amen
By TomZ on 8/4/2006 4:55:48 PM , Rating: 2
quote:
So when in the world are you getting this false belief that Vista will be more secure?

Because I have some insight into the development process at Microsoft, and I can see that Microsoft have made security job #1. It's not just a marketing message.

If you want to see for yourself, go to MSDN Blogs, search for "security," and start to read some of the articles (650 pages of articles come up). You can argue that blogs are "marketing," but in reality, most of the blogs are written by engineers who are talking about their day-to-day work experiences.


RE: Amen
By Pirks on 8/4/2006 3:30:42 PM , Rating: 1
quote:
Of the mainstream desktop operating systems, the only one that I know of that has taken security seriously from the start of development is Vista.
If you consider OS X a mainstream desktop OS, then it has better chances to be called "seriously secure from the start" because it's based on Unix, where running everything under root Win9x/NT/XP-style was nonsense FROM THE VERY BEGINNING. While Vista only now STARTS to get away from that bad "everyone is administrator" paradigm.

You can look at the situation like this - both Vista and OS X kind of converging onto some common ground, but they converge from the different directions. While MS has strong background in DOS/Win9x and has insane amount of old code and old ideas taken from there - all the command prompt stuff, batch language, a lot of core OS command line utils, a lot of Win95/DOS ideas like "there's only one user per machine" or "the network is local only and can be trusted, outside access is via modem, hence it's uberslow, hence it's safe too" and stuff like that. Vista evolution is a painful process of shedding this museum dust and trying to come up with something more sensible. So it's a movement from the bottom upwards, to more secure Unix-server's "don't trust anyone" environment.

At the same time OS X is the movement from the server-like microkernel-bolletproof overprotected and hence slow environment to something more desktop-style, with more comfort for a single or a couple of users and most of the heavy server code and industry-grade protection moved to OS X Server... I mean it's not there yeat, but it's moving in this way, getting faster and leaner with every release.

Well, the only thing you should add to your post is the word "Microsoft" - you should change "Of the mainstream desktop operating systems" to this: "Of the Microsoft desktop operating systems".

And even then you can't forget a Babylon tower of hype surrounding NT security many years ago, how NT ACL was the uberthing, how it was overprotected from everything etc etc. Then it looks like you have to make another change - replace Vista with NT, because NT was all about security in all its facets, from software stability/crash protection to outside intrusion protecion.

To me MS is still paying the price for sticking to its DOS/Win9x roots and rejecting several sane Unix policies, like not trusting anyone and granting every application the least possible rights. Sure you'll get zillions of virii and malware this way - and Vista probably won't solve this at all because no OS can protect users from opening email attachments automatically, like dead zombies. Just wait till OS X gets enough market share, gets flooded with those email attachment opening mindless bots and enjoy the collective scream of horror from all the Apple zealots - and they will scream LOUD, I tell ya ;-)))


RE: Amen
By INeedCache on 8/4/2006 3:44:12 PM , Rating: 2
All true, except that I may not live long enough for the "just wait till OS X gets enough market share..." the way Apple prices things.


RE: Amen
By Pirks on 8/4/2006 3:56:36 PM , Rating: 1
quote:
the way Apple prices things
If they set the price such that a Mac configured the same as PC in similar or better style/form factor costs the same or sometimes less, while providing both OS X and Windows compatibility - which is the case with their pricing at the moment, compare dell.com and apple.com prices and see for yourself - I'd say you'll see Apple will continue to double its market share not only for this and last year - they will teach all AT downmodding clowns a lesson or two, this year, next year and so on. I will be surprised if they will NOT double their market share every year for several years more. 12% of retail US laptop sales from nothing - of course this won't teach you anythig - keep in your cell, just shut the windows tighter - the reality may hurt your sensitive eyes.


RE: Amen
By retrospooty on 8/4/2006 5:54:44 PM , Rating: 2
LOL, so you think Apple will reverse the trend of declining marketshare over the past 10 years and triple growth? Even Steve Jobs doent think that, and he's totally insane.

They now have less than 3% global market share of all personal computers sold. And they acheved this near oblivion how? By continuing to launch superior products at a competitive price points? LOL , you MAC clones crack me up.

Triple... LOL .... LOL again.


RE: Amen
By TomZ on 8/4/2006 6:02:07 PM , Rating: 2
quote:
LOL, so you think Apple will reverse the trend of declining marketshare over the past 10 years and triple growth? Even Steve Jobs doent think that, and he's totally insane.

The way Apple could gain more market share going forward is to convince iPod/iTunes users to give up their PCs in favor of Macs. This is already happening, and I don't see any reason to believe that this will not continue to happen. At the moment, there's not anything all that interesting going on in the PC world, except for maybe the launch of Vista, and the value proposition for Vista is not really understood yet by consumers.


RE: Amen
By Pirks on 8/4/2006 8:18:20 PM , Rating: 2
quote:
the value proposition for Vista is not really understood yet by consumers
Could you please elaborate more on that "value proposition"? Everyone knows it's a refreshed version of Windows with new GUI and new version of DirectX, which does exactly the same stuff that XP was doing, it's just in a new skin. Granted, security is better, but it was better in XP service packs, so no major difference, it's rather incremental process. Do you mean something specific and not well-known when you say "value proposition for Vista"? Something we don't know, some hidden knowledge from MSDN?


RE: Amen
By TomZ on 8/4/2006 9:49:24 PM , Rating: 3
quote:
Could you please elaborate more on that "value proposition"?

Value proposition relates to marketing, more than technical. What I mean by that is, what will Microsoft tell potential customers about why they should embrace Vista. You start to see this here on their marketing web site:

http://www.microsoft.com/windowsvista/features/def...


RE: Amen
By Pirks on 8/4/2006 7:48:46 PM , Rating: 1
quote:
so you think Apple will reverse the trend of declining marketshare over the past 10 years and triple growth?
No, I don't think it will "reverse" something that does not exist :) Apple was steadily increasing its US market share in recent times starting soon after OS X 10.1 release, and the rate is only accelerating - read some quarterly reports from Apple and pay attention to the number of Macs they've shipped each quarter.

Your blurb about tripling something I'll leave to you - there was no word "triple" in my post so you can keep it to yourself, thank you :-)

quote:
They now have less than 3% global market share of all personal computers sold.


Right, soo.. they have 0.001% in Russia and maybe 0.0001% in East Africa. I know that. Religious PC people like to quote some global or Russian or African numbers. Which is ok for religious guy believing in his own truth etc, but those with little less closed minds try to THINK (no, not different, just think :) and they soon understand that US market is a trend setter in computers. It's American companies like Intel, AMD, Apple, IBM, Sun and so on who set the world trends. If AMD loses US market - say buy to Mr. Ruiz. Same for Intel and everyone else. Then, after THINKING a while the not so closed minded person will ask herself - hmm, if the US market is the trend setter, why don't we look into just US market share and try to interpret it as prediction for the future global market share? You ever tried that? No, you didn't, you have too much religion in your head. If you level it down a bit and think what happens when the world follows USA and, say, the WORLD retail Apple notebook sales reach 12% of market - you know what you realize... so don't even try - like I said before - better stay in your cell and keep windows shut tight, otherwise you risk hurting your eyes :-)

quote:
And they achieved this near oblivion how?


Ask this question in any newly popped up Apple store, the best would be Manhattan's on 5th Avenue, but don't forget take videocamera with you and post the answers on YouTube - I gonna love this show!! Post here when you're done - this might beat even that cool star wars parody in there ;-))

quote:
By continuing to launch superior products at a competitive price points?


Well, you see, Dell and Sony also try to make iMac clones, I mean monoblock PCs, but they set the price twice higher, so what? Did THEY bankrupt? No, they didn't. See, if you turn on a bit of logic, and think (again this stupid word!) about it, you'll see that if company like Sony (or Dell) sells those overpriced monoblock desktop portables for the price MUCH HIGHER than similarly configured iMac, and still enjoys good financial health and nice market share (Sony and Dell enjoy that, and you agree, dontcha?), then how teh heck can they GET INTO OBLIVION if they release the same products CHEAPER than similar product of competitor's?

quote:
you MAC clones crack me up


You PC boneheads make me smile too. Your logic is pretty funny and definitely brings up a smile or two. Just imagine: oh, look, Dell was selling $4000 monoblock PC, and Dell's cool and great, now look! Apple sells the same monoblock PC for half a price of Dell - and what's gonna happen to Apple then? Of course APPLE WILL FINISH ITS LIFE IN TOTAL OBLIVION! And then somebody asks - why so? And you give your standard bonehead's answer - "because it's Apple, stupid!" Nice, very nice - keep it up, we all need our daily simles and you do it great! Thank you again :-)


RE: Amen
By Questar on 8/4/2006 9:52:33 PM , Rating: 2
Apples market share is increasing, and is currently at 4.8%.


RE: Amen
By Laitainion on 8/4/2006 5:59:29 PM , Rating: 2
Just a quick search:

Dell Latitude D620
Core Duo 2GHz, 1GB 667DDR2, 'Quadro NVS 110m 256MB' (no idea how good this is) and 14.1" 1440 by 900 screen comes to £1199 inc VAT

MacBook Pro
Core Duo 2GHz, 512MB 667DDR2, Mobility Radeon X1600 128MB, and 15.4" 1440 by 900 screen comes to £1399 inc VAT

2 roughly equally specced laptops, £200 price difference. No matter how good Apple's brand is, they can't keep double market share each year. Granted, I am an Apple hater, you couldn't pay me to buy anything from Apple, but do the maths people.

It is a *lot* easier to achieve impressive statistics such as 'double market share in a year' when you're market share is really low. If I sell one laptop this week, and sell 2 next week, I have doubled my market share in a week (just a hypothetical example). But if I sell 1'000 laptops in one week, it will be a lot harder to then sell 2'000 the next than in the previous scenario. Point is, I think Apple are going to start hitting the point where, although they are selling more laptops, and possibly the real number of people buying them is growing as fast as before, it certainly won't continue doubling each year. If it did, ib 2 years they'd have nearly 50% if the market, and that simply isn't going to happen.


RE: Amen
By Pirks on 8/4/2006 8:09:51 PM , Rating: 2
quote:
2 roughly equally specced laptops
Care to provide sie and weight of both? And maybe include some interesting stuff from MacBook Pro that you "forgot", like keyboard backlight, free fall sensor, web camera etc etc?

See, some people, like most AT readers, work purely with numbers - this is 2GHz and that is 3GHz, so the latter rocks and the former sucks. End of story. However, we live in the world where most of the population don't read AT and they also differ from you and me in many ways, so what do these people do? They like to compare not only GHz but also how the thing feels in work. So they come to a store, compare bulky Dell with thin light MacBook Pro and voila - another convert appears out there, the guy who dared to pay for such meager thing as size and weight... come on guys, just look at him! He just paid extra 200 pounds because his MacBook is lighet and thinner than Dell, and has this stupid keyboard backlight, jeez he stupid! And all AT forum will say "YEAH SUCKER" and then mod you up 'cause you're soo cool. But, the deal is - you guys are only 1% of the population, and the other 99% dares also to look at such blasphemous nooby parameters as weight, comfort and so on... yeah, too bad the world is not all about GHz - but people here will learn about it, maybe the hard way, but they will, sooner or later.
quote:
Apple are going to start hitting the point where, although they are selling more laptops, and possibly the real number of people buying them is growing as fast as before, it certainly won't continue doubling each year.
I never said it would be doubling every year forever and ever - I said "for several years". Maybe just two years and maybe the second year would be not pure double but closer to say 1.8 or 1.7 - nobody knows the future, but rapid Apple market share growth is only accelerating recently, I expect it to accelerate even more after Jobs will tease everyone with some sexy Leopard coolness and then deliver Conroe and Merom based Macs and maybe a megabomb like a Woodcrest-based Mac Pro. Sure, it will slow down later, but my guess it's not gonna happen before two years pass - Apple bug is on the rise and Vista does not look like a proper cure to me... I thought maybe they can stay on top with DX10 and WinFS but after WinFS was killed and after I read about Transgaming and Cider I now dounbt even that is gonna protect Vista after Leopard is out. Hehe, sounds like a wild life report :-)))


RE: Amen
By ksherman on 8/4/2006 9:14:20 PM , Rating: 2
Apple has recently been relativly successful. They do have some very competetively priced models, such as the mini, macbook/pro, and the iMac. I think their desktops are a pure waste of money. Sure they are in a pretty case, sure they have two dual core processors, but as I mentioned in a post earlier in this bout of news, they are severly lacking in almost EVERY other category. (Seriously, who buys a computer with a base cost of $3200USD that only has 250GB HD, 512MB of RAM, and a 6600 video card. thats just nuts... IMO anyway.

I think Apple will have a very difficult time increasing market share NEARLY as much as you predict. I am under the belief that Apple little house of cards is going to collapse reasonably soon. They hide behind this aura of flawless security. Its only a matter of time before OSX gets their viruses/hacks/exploits etc... make no mistake, it WILL. thats just life. Does that mean the security is like a slice of swiss cheese as Windows is/was? It is arguably more secure because, IMO OSX has a very small market share compared to the likes of MS, so they arent target as much.

As Apple gets further and further into the spot light, all their ignorant claims of superiority are going to fall. ANY report that says that a Mac has a vulnerability is going to me magnified in signifigance. Their compys can run windows now, great, super cool. But that also carries with it the security flaws that users were trying to get away from. Many of the "general" consumers will say, "Hey, i bought a Mac, im invulnerible to viruses and spy ware!! and I can run windows too!" are going to be terribly shocked when they start getting their favorite popups and the like. They will be angry, asking why they splurged for the price premium. It WILL happen, perhaps down the road, but it will. Apples Magic will fade a bit. I do agree the Jorbs and his crew do a good job of keeping us on the edge of our seat sometimes, at somepoint that will get old. Theres nothing like spending $1000+ on a computer that gets a whole new redesign every other year, or sooner. That will get old, albiet down the road.

If anything, what WILL help Apple's market share is their lappys. The MacBook is a super competetive laptop, being reasonably small and light, with decent battery life, superbe performance, and a good price to match it. If they put some type of dedicated graphics (like a 7300Go or the like) it would be a steal that their price. What Apple for sure needs to do is up the rez on their laptops, they are falling behind in that section. Their new desktops will help a lot too, as the Core2 is an INCREDIBLE process (obviously) and a TON of the users in the professional creative market will spend the dough on them and the new software to go with them. Not to mention, later this year they are likely to have a dual quad... which is just nutsy *drools*, and SUPER insanely expensive.

I am not an Apple hater, I am not a PC hater. I am one of those swing voters the politicians covet so much. I have only ever owned PCs, and I build them which makes me sympathetic to the cause of the PC. I also covet the Aluminum goodness of the PowerBook/MacBook Pro. Their are jsut damn sexy, but quite a bit outside my budget. I will thus compromise and go for a MacBook eventually, prolly next year when they get the SantaRosa based platform and the newer X1300 (or was it X3000?) Intel graphics... I also run OSX on my extra HD, just for fun.

well, thats enough out of me... Their is validity to both sides, but ultimately I feel that Apple users are due for a VERY rude awakening within the next year or so. I will pray for you ;-)


RE: Amen
By Pirks on 8/4/06, Rating: 0
RE: Amen
By ksherman on 8/4/2006 9:59:10 PM , Rating: 2
quote:
sherman, you're getting in the same old trap again and again - you compare modern desktop Wintels with ancient PowerPC Macs. When are you going to stop falling in the same manhole? Can't you see current Intel iMacs are VERY different both price-wise and feature-wise from old museum PPC PowerMacs? I don't even understand why you bother posting here comparing some museum Apple computers with modern Intel PCs - yeah, I CAN TOO compare Win 3.1 with Mac OS X 10.4.7 and you know what? Win 3.1 SUCKS! You don't buy my argument of comparing old technology to new one? THEN PLEASE DON'T USE SAME ARGUMENT YOURSELF, would you pleeaase??!


Those specs were still for shit when the Quad was released. Not enough hardware for the price, thats all im saying. You spend that much on a dell/alienware, you get a MUCH better Video Card/HD/Base RAM, even then (which was only about a year ago remember)


RE: Amen
By Pirks on 8/5/2006 1:30:22 AM , Rating: 1
quote:
Those specs were still for shit when the Quad was released. Not enough hardware for the price, thats all im saying.
Not enough hardware for PowerPC Quad? Excuse me? COULD YOU BUY PowerPC quad-core computer ANYWHERE ELSE BACK THEN? NO? Then put your sticker back and don't take it off until you understand this: "one can not compare apples and oranges, especially when there is one unique special apple (PPC Quad monster) and an ocean of similar looking oranges (your cheap beige Wintel PCs)"

Do you understand, sherman? You _can't_ compare them - they are WAY TOO DIFFERENT to be compared. Agreed?

If not - tell me why quad-core PPC computer is exactly the same as your standard issue Intel P4 Dell PC, gimme some solid technical arguments please. Thanks.


RE: Amen
By TomZ on 8/4/2006 5:25:17 PM , Rating: 2
quote:
If you consider OS X a mainstream desktop OS, then it has better chances to be called "seriously secure from the start" because it's based on Unix, where running everything under root Win9x/NT/XP-style was nonsense FROM THE VERY BEGINNING. While Vista only now STARTS to get away from that bad "everyone is administrator" paradigm.

First, you have to separate out Win9x from NT/XP since Win9x has little/no security. Therefore, relying on OS-enforced security of system resources in Win9x is not possible. This explains why Microsoft killed off that line of development in favor of NT/XP (one of a number of reasons, I'm sure).

NT/Win2K/XP security is a victim of its own success. The widely-stated "fact" that most users run as admin is actually incorrect. The reality is that most home users run in this mode, while most corporate users run in a locked-down configuration. Any IT guy/gal can tell you that. The reason home users run in admin mode is that, due to NT's strong security, it is difficult or impossible for end users to install many applications and drivers as non-admin. Therefore, when most folks have their home machines set up for them, they avoid this problem by setting up their users as admin. So the issue is not that NT security is weak, but that the security doesn't meet the requirement that end users have to change their computer configuration often. This is obviously not a problem in the corporate department where IT actively manages end-user configurations.

My original point is that the security model, and overall architecture, is basically the same between all the common operating systems. In the case of Windows you have some users running as admin and some not. In OS X and Linux, presumably you have most end (but not all) users not running as root. So that situation is similar, with Windows having a disadvantage for users running as admin. But what is similar is that large portions of the OS run as admin/root, and exploits that are aimed against these types of services can have just as much traction in either operating system, regardless of the end user's rights. For example, the device drivers referred to in this article are presumably a security threat on all supported OSs because they have the ability to run arbitrary code as admin/root. This is the reason for my claim that security in all current-generation OSs is basically the same.

I would like to respond to some of your other points; however, I'm out of time at the moment. I'll try again later.


RE: Amen
By Pirks on 8/4/2006 8:57:28 PM , Rating: 1
quote:
First, you have to separate out Win9x from NT/XP since Win9x has little/no security
No, I'm not going to separate them because many ideas and code migrated from DOS/Win9x to NT and XP, including all GUI and DirectX code. Apparently the idea "if user wants to change something let him be admin forever" came from this DOS/Win9x camp as well - smells very much like it.

If it were not, then we would see this UAC protection from MS a long time ago, but there is not.

So my guess is that old Win9x school inspired them, instead of proper Unix school where root is a NO-NO thing, something you should NEVER touch - just like they try to do it in Vista now.

Hence my post about Windows coming from the bottom up - because they did it not the right (Unix) way. They let user to roam free as root and got current security disaster. OS X on the other hand would NEVER get same level of disaster, even if it had 50% market share now - simply because it has much more reasonable Unix-inspired defaults, which keep root access away from user as much as possible. See, it's the old DOS roots that brought MS down w.r.t. security. In other words the code may be as secure as M1A2 Abrams but if the crew doesn't know basics... the armor won't help - so you have to have the right OS ideology besides the secure code.


RE: Amen
By TomZ on 8/4/2006 9:43:31 PM , Rating: 3
Did you read my post? NT has strong security built in, at least as good as Unix, if not better. I stated that pretty clearly. Bottom up, Unix and NT are basically the same.

GUI and DirectX (if that is correct) has nothing to do with security. Security is related to the file system, kernel, etc. This is the area where NT is a new code base relative to Win9x.

Again, don't bring DOS into it, because NT has nothing to do with DOS - nothing. DOS had zero notion of security.


RE: Amen
By Pirks on 8/4/06, Rating: -1
RE: Amen
By TomZ on 8/4/2006 10:04:27 PM , Rating: 3
No, no, no - you are missing the point! Let me try again.

NT has strong security. If you log in as admin, then you can do everything/anything. This is the case with most home users on XP.

If you log in as a normal user, as most people do in a managed, corporate PC environment, then your access rights are limited based on the configuration allowed by the system administrator. In this case, the secure bits are kept secure.

Bottom line is, NT has excellent security if you use it. In many cases, people don't use it.

The change with Vista is that end users, with "normal" (non-admin) access rights, will be able to install software and drivers without having to log in as admin. This solves the previously mentioned usability problem.

Finally, I hope you can recognize that Unix and Windows are the same in this way. If you always logged into Unix as root, then you would have the same impression, that Unix has no security. If you always needed root permissions to install software and device drivers, then you would always log on as root, and never as a user with fewer privledges. That doesn't appear to be the case in Unix, however.


RE: Amen
By phatboye on 8/5/2006 12:13:14 AM , Rating: 1
quote:
Bottom line is, NT has excellent security if you use it. In many cases, people don't use it.

If XP is designed so that users don't take advantage of the defense mechanisms in XP how can you conclude that NT has excellent security? In most *nix environments during the install process usually some kind of notification comes along and tells the user to create a normal user login and not to use root access for general purpose use. During the XP install process it asks the user to set up user names and passwords then sets them all as admins! And you still think that windows was designed with security in mind? You sir have been brain washed.


RE: Amen
By Pirks on 8/5/06, Rating: -1
RE: Amen
By nunya on 8/5/2006 5:33:11 PM , Rating: 4
Jeesus, STFU already. You're as bad if not worse than the MS fanboys you're trying to bash.
quote:
Follow ME Apple zealots, I am your leader! I am so much smarter than these people that it gives me wood tearing their arguments apart. In fact, I'm hard right now. I can't see it under my belly but I know it's there!
OSX has flaws just like any OS. Just because it doesn't have the same flaws that Windows has doesn't mean it's some super-OS here to save mankind. I think it's obvious that if Apple developes the iPeen Pro you'll be the first in line to see how much you can get in your mouth but most of us evaluate their products with a level head.

Look, I can be as cool as you!

quote:
TomZ, I won't go as far as to say you are brainwashed...

Blah, blah, blah, STFU.
quote:
building SENSIBLE and WELL BALANCED security shell for the user.

Blah, blah, blah, STFU.
quote:
Everything would be MUCH better if

Blah, blah, blah, STFU.

Wow, it really IS easier to be smarter than everyone else!

Now, how do YOU like THEM apples?


RE: Amen
By Pirks on 8/6/2006 8:05:09 PM , Rating: 1
quote:
Just because it doesn't have the same flaws that Windows has doesn't mean it's some super-OS here to save mankind.
Just because someone criticizes OS that you worship, it does not mean some alternative OS will save mankind.
quote:
Now, how do YOU like THEM apples?
I like apples, but I don't like you creating useless noice. Either add someting valuable or please abstain from polluting this thread. Thank you.


RE: Amen
By maxusa on 8/6/2006 1:53:57 AM , Rating: 2
Pirks obviously does not want to listen and is full of rhetoric. TomZ, don't waste your time. You have reasoned quite enough and well.


RE: Amen
By Pirks on 8/6/2006 8:09:33 PM , Rating: 1
quote:
You have reasoned quite enough and well
He was reasoning well but not quite enough - he still has to answer the question form me and phatboye about what worth is NT security if it encourages users to live as admins. TomZ, don't pay attention to zealots like maxusa and nunya, forums are full of them, so please don't disappear, we have interesting discussion here with you and phatboye ;-)


RE: Amen
By masher2 (blog) on 8/7/2006 9:18:11 AM , Rating: 2
> "he still has to answer the question form me and phatboye about what worth is NT security if it encourages users to live as admins. "

Pirks, normally you're on target, but in this particular case I think you're wrong. Non-admin access for day-to-day usage is a useful tool to aid security, but its not a hard and fast requirement. At some point on any OS, you *have* to log in as admin...and if your system isn't secure then, you're still in trouble.

In other words, I feel the "don't run as admin" is just a bandaid designed to hide the real problem. If you can be attacked while running admin level privileges, you have a real problem. Fix the problem...don't hide it by running as a lower-level user.


RE: Amen
By Pirks on 8/7/2006 4:16:14 PM , Rating: 2
quote:
I feel the "don't run as admin" is just a bandaid designed to hide the real problem. If you can be attacked while running admin level privileges, you have a real problem. Fix the problem...don't hide it by running as a lower-level user.
That's one thing any Unix admin will laugh at. By your logic then if there are POTENTIAL vulnerabilities in OS kernel, then they are not worth hiding? In other words another layer of protection that mitigates potential FUTURE vulnerabilities in the OS core is just a band-aid? You definitely know that no OS can provide 100% problem free environment and any reasonably big OS always has its share of holes. But you still argue that as OS codebase grows in size (together with probability of discovering potential new holes) then thinking up new defence mechanisms is a waste of time, 'cause they are just a "band-aid"? This is a cornerstone difference between modern NT and Unix users. NT does not encourage users to run as limited users while Unix in general encourages it. If Unix limits its own potential exploitability by imposing serious restrictions on users - I can't call it band-aid, sorry.

And the most serious argument comes not from you and me, it comes from Microsoft developers who added this "band-aid" to Vista. Did they do this to patch (or mitigate the effects of) the potential future holes? Yes. Is that good? Yes. Can we disagree on how to call it? Sure, you can call it "stupid sticky patch" or anything, but the actions of Microsoft who was lagging behind Unix in this area and now at last decided to add it to Vista speak for themselves.

By calling this feature "band-aid" you call MS developers stupid, masher. And they are not stupid, so I'll always disagree with your definition. I'm pretty sure they planned UAP a ling time ago 'cause they saw what happens when virus takes control of PC from the root account. I think limiting user was obvious, but they just underestimated virus threat, otherwise they'd impose same heavy restrictions on NT root access as Unix does. Would it make users life easier? Nope, rather the opposite. Would it mitigate current wave of virii and malware? Yes, I'm sure malware would not disappear, but it surely would be less halmful.


RE: Amen
By masher2 (blog) on 8/7/2006 4:27:51 PM , Rating: 2
> " But you still argue that...thinking up new defence mechanisms is a waste of time, 'cause they are just a "band-aid"? "

I think you misunderstand me. I agree that running non-root access for day-to-day activity is a good thing. I disagree though with the implication that encouraging (or even enforcing) this behavior is the sole metric by which you judge system security. It's just a tool...a useful one true, but only one in a large toolbox of other possibilities. A system that doesn't "encourage" such behavior can easily be more secure than one which does. There's a huge number of other factors at work.

Personally, I've run admin-level access 24x7 on every machine I've ever owned-- Windows, Solaris, Linux, and a few others. I've been using computers 25 years now, and never gotten a single virus. So the technique is, while useful, certainly not a hard and fast requirement for a desktop user.


RE: Amen
By Pirks on 8/7/2006 7:16:24 PM , Rating: 2
quote:
I think you misunderstand me. I agree that running non-root access for day-to-day activity is a good thing. I disagree though with the implication that encouraging (or even enforcing) this behavior is the sole metric by which you judge system security.
Now you probably misunderstood me - I never said this metric is a sole metric - nope, it's not and yes, there are other important metrics. My argument was that it is important enough that it got such a serious attention from MS with all the initial bad press surrounding introduction of UAP, and the most important - with zillions of old school home users that inherited old "I'm root" ideology from DOS/Win9x/NT/XP times. So while you are right that the limited user functionality is not the sole metric of system security (I've never stated otherwise) the fact that "every home user can be root" idea slipped into NT from the DOS world and was not eradicated until Vista. Countless malware, a lot of bad press and bad reputation was earned as a result (just watch those Mac commercials and tons of stupid users complaining about how their PC was infected).

I'd say this one turned out to be not the most important metric but rather the one that got the most bad press, BOTH when users were suffering from its absence AND when it was first introduced in Vista betas. Now compare this situation with a possible alternative - if MS took Unix as example to follow (as Apple did) and then forced every user to live with the notion that he/she can't be root all the time, and forced ISVs to comply with its software development guides by doing necessary checks and maybe printing warning in Visual Studio, providing ready templates, I mean stuff Apple routinely does with its XCode.

What would have happened then? MS would introduce more secure system earlier, marlware did less damage, it'd be harder to overtake the whole PC... but the transition to NT would be harder for DOS users, who could have flooded support lines with cries for help finding that mysterious System Administrator. So I'm not sure which way is better, I was just saying MS didn't pay attention to that and pays for this now. It could have paid earlier by introducing UAP in 2000 or so.


RE: Amen
By Pirks on 8/7/2006 7:35:03 PM , Rating: 2
quote:
I've been using computers 25 years now, and never gotten a single virus. So the technique is, while useful, certainly not a hard and fast requirement for a desktop user.
Well, I stopped getting virii when I switched to OS/2 2.0 in 1995, however if I see MS introducing this UAP thing into Vista and making end users suffer (at least in betas) - this IS a hard and fast requirement for desktop users now. In other words, MS does not do anything in Windows until it's required hard and fast. Be it UAP, Aero Glass, new virtual GPU based DirectX, new security overhaul - it's all required hard and fast. NOT because some Unix guru or I said so - but because market demands it, and the market is not the smartest dude to follow but when I see those OS reviews complaining about "lack of security" in Windows because it encourages home users to work as root - I conclude that market wants UAP hard and fast, let's agree on that :-) I know it won't solve Vista's potential security problems but it will definitely make it more secure.


"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki