Mosh Pit

Better than Windows?

Get It Try It

Washington Post security blogger Brian Krebs assembled Apple's security track list to compare it with previous studies of Microsoft and Mozilla. The results were not encouraging. And after Bud Tribble got in the action to deny everything, it turned into a free for all in the mosh pit.

Entitled 'A Time to Patch III: Apple', Krebs' article represents the first definitive look the Achilles heel of OS X: Apple's own attitude towards security. Krebs' statistics speak for themselves.

'Here's what I found: Over the past two years, after being notified about serious security flaws in its products, it took Apple about 91 days on average to issue patches to correct those vulnerabilities.'

'I also found that almost without exception, open source Linux vendors were months ahead of Apple in fixing the same flaws', wrote Krebs.

Although Apple initially refused to work with Krebs on the study and did not return his calls, once Krebs' stat sheet was ready for publication they jumped in, modifying it to their own liking. Krebs publishes both lists at his website.

In other words, the issue of unacceptable response times was only the tip of the iceberg: in daring to come forward with these statistics, Krebs inadvertently exposed the even greater hole of Apple's smug security policy.

'Despite the fact that I freely shared all of the data I had collected, Apple refused my requests to learn the dates when those flaws were first uncovered', writes Krebs. 'Even on Apple's own spreadsheets, they don't provide patch times for one third of the most critical flaws.'

It was also apparent to Krebs, especially after being connected with Bud Tribble, that in addition to the usual slew of denials, Apple regard their user base as colossally dumb and the scapegoat for their poor performance.

Boot Camp — Again?

One of the researchers Krebs contacted also sounded the alert for Boot Camp. Ed Skoudis is a consultant for Intelguardians and an incident handler for the SANS Internet Storm Center.

'Skoudis predicted that one of the more likely avenues for exploiting OS X systems in the near future may be Apple's Bootcamp [sic] program, which will allow users to boot new Intel-based Macs into either Windows or OS X. With both operating systems on the same hard drive, he said, a piece of malware that infects the Windows side could be configured to copy code onto or delete files from the Mac side.'

But denial is contagious and the contagious attitude is found everywhere. Krebs interviewed security administrator John Welch, a lifelong Mac user. Welch told Krebs he believes the average Mac user 'is just as dumb as the average Windows user' when it comes to security.

'A non-technical user is just that, plus there is a certain amount of arrogance in the Mac community that might even make them more susceptible to these kinds of attacks', Welch said, adding he too believes trojans would soon present a potent threat to OS X users.

'Some Apple users are arrogant enough to tell you that it is physically impossible for a virus to work on OS X. People tend to focus on pure viruses, where in fact the real danger is and always has been trojans.'

Jay Beale of Bastille Linux and Tom Ferris of Security Protocols were also interviewed for the article.

'I've been dealing with Apple since late last year and I just get the impression they're basically where Microsoft was at years ago', Ferris said. 'The problem with slower response times is that for a lot of these bugs, I'm probably not the only person who found them.'

Links

A Time to Patch III: Apple
Apple Response Times (Brian Krebs)
Apple Response Times (doctored by Apple)

Facts

1. If OS X were true open source, the response times for security holes would be near zero and Apple wouldn't have to fix many of the holes themselves.

2. Because OS X is not true open source, Apple have to work harder to find ways to patch vulnerabilities and the longer they going on screwing up the OS the worse it's going to get.

3. Even though they market their 'rock solid foundation of Unix', Apple believe in security through obscurity - and practice it almost exclusively. Bud Tribble's part in this scandal is significant. Tribble may be one of the founders of NeXT but first and foremost he was one of the original 1984 Mac fanboys.

4. Most of the issues with OS X would disappear overnight if Apple used a POSIX compliant filesystem. A beige box filesystem is never going to be POSIX compliant, no matter what Apple try to make people believe. Structural discrepancies in HFS have been repeatedly pointed out to Apple over the years and all they can reply is 'the errors are known'. A beige box filesystem is never going to be anything but a laugh - a bad joke that's on the suckers who bought into the Apple hype.

5. If you gut HFS in favour of a 'real' Unix filesystem, everything has to change and newcomers to OS X don't have to be burdened by beige box nonsense anymore. All the weaknesses in OS X can be traced back to the filesystem.

6. Using HFS with Unix is like trying to force a square peg into a round hole. Apple and Unix are two diametrically opposite schools of thought. Apple have always been aware of this and of late attempted to demonstrate they can fit the peg in. They've done this by damaging the round hole: Apple have begun to change the underbody of OS X in ways that already spell disaster. Under the bonnet OS X is increasingly the mess 'MacOS' became - and everybody knows how that fairy tale ended.

7. Apple have continued to insist on HFS not because their engineers think it's the better way to go but because the fanboys are such an incessant annoyance. Apple have decided they want to protect their increasingly slim demographic of beige box users (who today are more and more in the minority) and are literally afraid to tell them in no uncertain terms to 'grow up'. These fanboys are on both sides of the developer fence - they're both longstanding Mac users and Mac developers (with little or no experience in the outside 'real world'). They and they alone are at the root of the issue. Take the fanboys out of the equation and OS X can truly become the most secure personal operating system in the world; leave them in and OS X will show the world it's no better than Microsoft Windows.