About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

Hanson Divided

Windows has perhaps 100,000 attack vectors in the wild; OS X has none. Despite this, OS X - and Unix - are not more secure. Just ask security expert Daniel Hanson.

Daniel Hanson is a 'security expert'. Just ask him - or consult the Security Focus site to see his credentials. True, Security Focus does not publish his credentials, but he must be good if they let him write for them. And Daniel does have experience with OS X: a year ago he did a short stint as sysadmin for an OS X network. So he's a security expert all right.

In his excellent tutorial on the ins and outs of computer security ('Mac OS X? Unix? Secure?' 21 July 2004) Hanson points out that it's basically 'prevalence' which has sheltered OS X - and Unix - for so long.

Being a humble man by nature, Hanson admits he has no real experience with OS X, other than the short stint on an OS X network last year, and that he does not presently own nor has owned a Mac with OS X (but he is planning to buy one, so relax). Still, Hanson thinks there are important issues to raise.

Hanson arrived at these insights after spending a day at 'The Greatest Outdoor Show on Earth' with bucking horses and riding cowboys (it was obviously very inspiring).

And although he admits there is no 'hard evidence' for his claims, he goes courageously out on a limb.

'I have a number of concerns with regard to the security of OS X.'

What are these concerns? Simple. Apple don't 'get it in the security world'. Apple play their cards too close to their chest, claims the acknowledged security expert.

'The consequences of this strategy were highlighted a few months back when a number of vulnerabilities were discovered in OS X and were patched by the Panther upgrade, available for a fee. [sic]'

[This is not CNET talking, this is the acknowledged security expert Daniel Hanson.]

'I don't understand why they didn't just release the upgrade and the backported fixes at the same time. Perhaps this is indicative of a lack of process revolving around security inside Apple.

'I wonder if we will start to see privilege escalation vulnerabilities related to the Mac OS X UI. While Macs are generally pictured as home computers, organizations that use them and depend on them for information integrity should give a passing thought to the integrity of the system to a malicious user logged into the system.

'I think that Apple needs to embrace a new aspect in their relationship with their user community. Without this change in that relationship, we can expect more vulnerabilities, more confusing patch information releases and the reality may become that OS X is no more secure than Windows, or Linux, or Novell, or worse, it will fall behind and be hard pressed to catch up.

'Proactively secure by default - it would be nice if another Unix colt started moving in that direction.'

So basically what we're looking at here is a colt soon to be horse, ridden by a cowboy at the Greatest Outdoor Show on Earth - and it's ready to explode. Apple computers are not more secure than Windows; Unix isn't either. (Although Hanson does not talk of Unix other than in the context of Apple, it's clear he's accusing Unix as well - and rightfully so, right Daniel?)

Because little or nothing is done correctly at Apple, all that needs happen is Apple get a larger market share - and the same goes for Unix.

Never mind that Unix currently has a 70+% share of the World Wide Web server market - a target more attractive than any - and that these Unix boxes invariably run Apache, a web OS considered impregnable: the shoe will drop.

As soon as OS X - and Unix - get market share - 'prevalence' - they will fall victim just as the 'whipping boy' from the Northwest has done.

Obviously. But there's more to consider.

Half a century ago IBM mainframes ruled the world. They ruled governments, military installations, universities - they had 99% of the computer market. IBM mainframes CRASHED - statistically about once per year, and experts could almost predict when they would crash. Actually it wasn't a real crash; it was a glitch in an imperfect swapping algorithm that could in theory occur about once per annum for a mainframe working non-stop 24/7 with perhaps 5,000 terminals connected and miles of databases Bill Gates could never even imagine.

But the reason these IBM mainframes didn't crash more often was that they were not prevalent enough. Obviously.

Thirty years ago Digital Equipment Corporation were close to ruling the world. Their VAX machine with David Cutler's VMS was regarded as 'bullet-proof'. It never ever went down. It was used by the Pentagon and military installations and research institutes and universities all over the world. It never crashed either - it wasn't prevalent enough.

If either of these historic operating environments had ever had the prevalence of Microsoft Windows, they would have behaved identically.

It therefore stands to reason that the best defence against the woes that befall the software of the Vole is to reduce prevalence.

  • If Windows weren't used by so many people, these people wouldn't experience system hangs and crashes as often. No more using Ctrl-Alt-Del every half hour. By the same token, if IBM mainframes and VAXes had ever dominated the way Microsoft do, their users would need Ctrl-Alt-Del all the time too.

  • There is, in other words, no truth to what Bill Joy, principal author of BSD and co-founder of Sun Microsystems said about Windows and Microsoft:

    'They took standalone systems and put them on the Internet without a thought about evil-doers.'

    Clearly Bill Joy is in the wrong here and Daniel Hanson is right - and his superior in all credentials.

Just imagine: less market share and Ctrl-Alt-Del will disappear. AARD code would never have been. Passport and Hotmail nags evaporate. Teletubbie graphics grow up and get more respectful. Documents are no longer lost. Graphics drivers cannot any longer crash the operating system. Trojans cannot find root on the local machine. Viruses have no chance of parasiting on system modules. A brave new world.

On the other hand, beware the day those IBM mainframes and VAX minis come back: if they ever catch on, things could be worse than they are today.

Giddy-up, giddy-up.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.