Connare Tech: Owner’s Corner

No sooner had I posted my few takes on the Mac OS X virus situation that the following few days saw the web and media in a fury over a new flaw “Mac OS X hacked in under 30 minutes.” Upon reading this article it would essentially destroy not only any of my arguments that I made in my previous article but would also destroy my reputation and it is also an insult to my intelligence. Go ahead read the article available here, but come back afterwords and finish reading what it is I have to say. Another interesting article from business week expresses that same view point of this situation and can be read here and another article again showing the differences between vulnerability and exploit in regards to Mac OS X vs. Windows is available here.

First let’s look at the basics of this situation, which has been summed up by Dave Schroeder of the University of Wisconsin.

“The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are “unpublished”. But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:
# Not give any external entities local account access
# Not even have any ports open
# In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure

The original article was not fair, because it did not note, or even imply, or hint in any way, that local account access was granted. The whole point of Apple using proven open source services like OpenSSH and apache on Mac OS X is exactly because of their secure nature as a result of years of scrutiny by the community. Most users of Mac OS X in a consumer or desktop setting will never even enable any of these services at all. It’s unfortunate that the initial coverage was so journalistically poor and sensationalistic on what might otherwise have been an article about an interesting local vulnerability. Instead, it chose to leave people with the impression that a Mac OS X machine can be “hacked” just by doing nothing more that being on the Internet. That is patently false. ” This site was taken offline because the test on University of Wisconsin’s networks was not a sanctioned or authorized activity, it can be viewed here, in its entirety either through google’s cached web sites or through a pdf. However, for the entire duration of its time online, the worst that happened to the little Mac mini was that it was forced offline due to denial services attacks, which is like calling a phone number over and over so no one else can get through. The machine was never hacked, even with more services turned on than if the average user just powered on the machine and accepted the default settings!

If you give me personal access to any computer, be it Mac or Pc, I will be able to hack it. Having personal access to a computer changes the whole landscape of security. That is why if I need to reset passwords for clients for example, I need to have the computer in front of me. I could not possibly do this over the internet.

Second, let’s take a look at the economics of this situation. As more and more users switch over to OS X from Windows, virus companies, spyware companies and the likes of which knowing that their products are not used on any common mac user’s machine today, know that they are losing sales. So they convince people that there are things out there that could compromise their system and that they need these products. PC users respond by buying these products because they are from the trusted sources that previously protected their pc’s and if they are saying their are viruses out there then well I should get the product to protect my pc.

“It’s no coincidence that not long after security vendors began beating the drum about possible exploits of the Mac OS X operating system, unpatched flaws were uncovered, an analyst has suggested,” Gregg Keizer writes for TechWeb. “Rob Enderle, principal at the Enderle Group, reacted to the recent news of a pair of worms aimed at Mac OS X and a zero-day vulnerability of Apple’s operating system with accusations that the security industry hypes the danger in order to sell more security software. ‘The job of security companies is to make the Apple platform look insecure,’ said Enderle. ‘They’re now convinced that Apple is their next big revenue opportunity.’”

“Many people are worried. And rightly so. What if a large portion of people switch to Mac from Windows? What happens to the mom and pop operations that depend on selling boxes that run Windows and that have no experience with Macs? What happens to the antivirus companies that depend on the Windows security mess? How will they sell their wares to Mac OS X users? What happens to Microsoft’s Windows profits? What happens to software makers that make Windows-only software? The list goes on forever; there’s a whole economy based on fixing and supporting Windows.”(1)

When Connare Tech was first founded and was starting out, this was the primary and only source of revenue, fixing and supporting windows. Nearly 99% of all service calls were called in by those running Windows. The other 1% was those running Macs, but they needed help setting up or customizing their computer, or they wanted tutorial information, troubleshooting something that previously was working but now was broken was never the primary issue. As I stated in the previous security announcement, this changes nothing as to how I will use my Mac and in fact it makes me worry less. Does it make the Mac OS X platform any less secure? I think not, in fact I believe that it makes it even more secure because it brings truth to issues that are fabricated and based upon simply speculation, theory and the economic need of corporations to find new sources of revenue.