Security By Mac – What Security?
by Mike on Nov.28, 2008, under Computer, Irritated, Technology
Ok, so if you’re here, then you are hear to read my thoughts. That’s the point of a blog. If you are a die hard Mac/Apple Fanboy (or Fangirl) who can’t stand to read something bad said about their idol, stop. Do not pass go. Do not continue reading.
Ok, so I’ve obviously peaked your interest if you’re reading this! 
Let me start by saying that I do own a mac. I don’t deny that they are nice looking machines, and my 1 year old aluminum iMac is no exception. Ok, enough praising this sad excuse for a secure computing machine.
Let me paint you a picture. On my mac, I have several accounts. I am obviously an administrator on my machine. Now, sense I’m at college, my family borrows my computer, no problem, cool. My brother is an administrator on the machine, as is my dad. My dad, for whatever reason, does not have a password protecting his account. My machine doesn’t contain the answer to life or the formula to eternal youth, so I don’t really care. This point aside, I recently came to discover something that I would consider a huge security issue and a complete blunder on Apple’s part. For those of you who know Windows, you know that when User A locks their computer, only User A can truly unlock the system. If another administrator logs into the system, it will “unlock” the computer, which really means that the user is logged out, and the system returns to the logon screen. Now, on a mac, if User A locks their system… oh wait, I’m sorry, they can’t! The only way to “lock” the computer is to require a password when the system returns from sleep or a screen saver. Sorry, that’s not the same thing. But, whatever. Now, let’s say that User A locks their system, and an administrator comes to unlock the system. When they enter in their credentials, it does not log out the user, but instead returns them to User A’s session. Hello! Um…. yeah, I don’t care if you are an administrator, you should not be logged into my session where you now have free rein of my system to snoop through my files, change settings, send love letters to that girl in the cubical two rows over in my name, and change my background… don’t TOUCH my background!
Ok, so you’re prolly thinking in your head, HELLO, administrators have access to your files anyway. That’s why they’re administrators. Duh! Well, um, no. NTFS permissions on Windows, as well as the permission schema on the Mac allow users to explicitly deny a group of users access to your files. Without going into too much detail about file security (it can be a doosy), there are two ways to prevent a user or group from accessing a file or folder. You can either explicitly deny the user, or you can simply not define access for them, which will prevent them from accessing the resource. Oh, but wait, the administrator is now parading around my mac as ME, so it doesn’t matter that he doesn’t have access to my files, my mac thinks it’s ME installing 50 GB of software onto the system. Good job!
Now, there might be a way to change the way this logon/unlocking protocol is handled, and I have just not changed it. However, if that is the case (which I don’t think is), the better question is what dim-witted programmer DIDN’T ENABLE IT BY DEFAULT!?!?
This is only the tip of the iceberg on the way I feel about Mac security. I have bashed Microsoft before and said things about Vista and other Microsoft products, but I can say one thing with certainty. That company is not afraid to admit vulnerabilities and flaws in its products and provide prompt updates for them. Every second Tuesday of the month comes the famed Patch Tuesday where Microsoft pushes out important and critical patches to its customers. It does not try to hide these flaws. I don’t care what you think about Microsoft, you CAN NOT deny that it is looking out for the best interest of its customers. Apple on the other hand… refuses to admit flaws in its supposedly “perfect” operating system. Critical flaws can take months at a time to patch, often met with denial from company personel about the alleged issues. Don’t believe me? Read this ComputerWorld: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110907
It’s crap like this from Apple that makes me want nothing to do with them. Once you get over the wow factor of their, admittently decent looking products, you will see that you are paying for overpriced crap. For the same price, you can get a PC with twice or three times the specs as the mac. I thought that it would be cool to work at Apple. After doing some digging on their business practices, and the horrible way that Steve Jobs treats his employees, I don’t want anything to do with them.
In a class a few weeks ago, we saw a video about the modernization of technology, including the first Apples and the first computers. I caught an early glimpse at how Steve Jobs views innovation, and it made me want to put my fist through a wall. I saw him talk about how he has not a care about how he and his company took specifications from Xerox all those years ago to create the first real GUI and the early macs. Yet, today, Apple whines and complains when Window starts to look “like a mac” <shutteres>. Or better yet, when a company proposes a way of organizing pictographic program depictions, we’ll call them icons, into a straight line, or container, and puts this container along one side of the screen, that’s copying the “Dock.” Hmm, I should probably remove the red box at the bottom of my desktop background into which I organize my icons, because, you know, that looks an awful lot like the Dock. >:/
I’m done watching keynotes where Jobs freaks out at the audience because the guy in the back row took more than 5 seconds to look at the “innovative”, “amazing” new Mac Pro casing that Jobs insisted everyone see. I always thought Apple products were cool, that they were imprevious to security breeches, and that they were made by a company that stood for innovative, original ideas; one that respeced its employees, and valued that interests and opinions of its consumers.
Althought I will probably continue to look out for what next product Apple tries to insist that everyone “can’t live without,” I know that once the potential wow factor wears off, I’ll be left with nothing.
November 28th, 2008 on 1:05 pm
OK, let me address your argument.
1. It is possible to lock your screen, not by the screensaver thing. All you have to do is engage fast user switching. This way, you only are able to get back into your account. Of course, it is possible to change the screensaver lock to only allow you, or a group, to unlock it, but it requires moving a file around and isn’t straightforward. I agree that this process should probably be easier and more obvious, but I think the main intention is to prevent the scenario that you walk away from your desk and a coworker swoops in and starts messing around with your stuff. It’s very different if it’s someone who has an administrative account on your computer. If they have one of those, there needs to be a level of trust that they won’t screw with your stuff. If not, then you both shouldn’t have an admin account in the first place, because there are other ways they could screw with you (like, changing your password and then logging in as you).
2. One thing you didn’t mention (or maybe you didn’t know) about administrator accounts in OS X is that it’s handled in the good Unix-style. Whether your account is an administrator or not, it is really just a standard account. If you allow administrator access to an account, that applies an attribute which gives the user access to sudo. This way, if some virus manages to get executed, it can’t harm anything outside of your data without first prompting you for your password. Yes, Vista has that UAC crap, but because it comes up so often, most people just click through it without really thinking about it
3. Microsoft’s patch Tuesday is a horrible idea. There have been cases where people wait until just after patch Tuesday to release their exploit, which gives it a full month to propagate before it is fixed. Microsoft has made exceptions to this rule, but only for the really bad exploits. Compare this to Linux maintainers or Apple, they release patches as soon as they’re ready.
4. I don’t see how Apple is any less willing to admit problems in their software than Microsoft is. When there’s a problem, they fix it. Apple pushes how well their software works, and rightly so because it does work very well. They don’t actively push that their software has problems, but neither does Microsoft really.
5. I don’t buy your comment suggesting that Apple always takes months to fix your problems (and therefore implying that Microsoft doesn’t). If you could show me a couple more specific examples of Apple taking that long to release a fix for an exploit found in the wild, then maybe I’d believe you. Actually, that specific article you cited shows me that Apple’s priorities lie with software that most people use. It is unfortunate that they didn’t patch that issue sooner, but so few people use OS X as a DNS server (and rightfully so, everyone should use Linux or *BSD and Bind). Apple realizes this, and prioritizes on the software that most of their customers use. If there were a critical exploit in Safari, I would definitely want Apple to focus on that instead of some problem in iWork. But OS X is Unix, I’m sure it’s possible to compile and run the latest Bind on it manually.
6. I haven’t seen that video you mentioned (if you could find it online somewhere, I’d like to see it though), but I can say that I don’t think borrowing the best ideas from other products is necessarily a bad thing. I mean, every window manager in Linux has had multiple desktops for years now, and I’m glad that Apple adopted it for spaces. I think back when Microsoft really was innovating, Apple took some of the good ideas, just as Microsoft is doing a little bit of that now in reverse. What I don’t like is when Microsoft stole the networking stack in one of the BSDs, shoved it into Windows 2000 and passed it off as their own.
7. I kind of have the same feeling about that last keynote as you did, he definitely was a little rude, but I’m willing to overlook it because he isn’t usually like that.
November 29th, 2008 on 1:15 pm
Firstly… people reading this must know… Mike’s initial displeasure with his Mac originated because Adobe Reader didn’t save what he had entered in fields on a PDF… on his Mac. From there… it’s just him looking for more absurd reasons.
In this case… “You’re doing it wrong” comes to mind. As Justin mentioned above… Perhaps you’re not locking the computer properly. But actually… beyond that… perhaps you’re not setting up computer account correctly. And one can only hope that if you’re working somewhere that would require proper security… that you would take the time to setup it up correctly. It’s not Apple’s fault that you don’t know how to do it correctly.
November 29th, 2008 on 1:58 pm
Oooookkkay, time for my rebuttal.
Justin -
A. You are absolutely right about the root account. Because OSX is built on Unix, it subscribes to the principal that system wide access and changes can be done through the root account. However, I’m making the point that a user who unlocks someone elses’ account now has access far beyond whatever they might be able to do on the computer itself. They now have access to personal files, email, and any websites which they might be storing in their browser.
B. To address the issue of Apple’s lax patch management and response, simply poking around google will back me up. I remember reading an article in PCWorld about this very issue. They argue that, although there are more hackers focusing on Windows, it is the most secure operating system, for the simple fact that Microsoft is so on top of responding to security issues.
Todd-
The PDF issue was not the first issue that I had, it was just one of the more vivid issues that I had had with my mac. Part of that situation was because I was dumb enough to think that Apple’s multi-purpose document viewer would handle a PDF the same way that Adobe’s app would have. I should have downloaded and used Adobe’s app in the first place. My issue was NOT with Adobe Reader, but rather Apple’s “Preview” app.
A. Ok, let’s get something clear here.
B. To address you claim of “I was doing it wrong…” first off, I’m an Information Security and Forensics major, so I hope that I’m doing it right!
However, all kidding aside, I know full-well what I’m doing. The accounts have been configured correctly – two administrator accounts. I then configured the screensaver to require a password on return. Either administrator is able to unlock the session of any user, giving them full access to that session.
I’m actually surprised – how many times did you send your MacBook Pro back because Apple didn’t take care of it? It has scratches, dirt, and all kinds of stuff on it.
My rant is not looking for “more absurd” reasons. These are all valid arguments which can easily be proven. They don’t stem from a stupid issue because Apple’s app doesn’t perform to Adobe’s PDF standard!
November 29th, 2008 on 7:04 pm
Sounds like you’re one of the many that assume that I’m a mac fanboy; I’m absolutely not. I own just one of their systems. And, no, I’m not impressed with their repair services.
And as Justin explained more detailed than me… you were doing it wrong.
November 29th, 2008 on 9:35 pm
And neither am I. OS X does what I need it to do in a better and more efficient manner than I could achieve on Windows. For example, what happens in Windows XP if you double click a .iso file? Nothing. OS X can mount and burn ISOs natively without any additional software. Same story with PDFs. If you don’t mind installing lots of additional software to handle things like this, then fine, but I would rather spend that time being productive. Or watching Heroes. Whichever I feel like doing at the time
Speaking of PDFs, when I first asked you why you didn’t like OS X, that was the reason you stated. IMO, that single event holds far too much weight in your overall opinion of the OS.
Just to reiterate, if you’re on a single user OS X system, locking the screen works fine (in fact, you can add a shortcut to the menu bar to engage it). If you have more than one user, you should have fast user switching enabled anyway, so just use that. If you’re absolutely committed to not enabling fast user switching, there is a way to set up who specifically can unlock the screen.
And Microsoft has to be on top of fixing the security problems because so many of them are found, and a more-than-insignificant percentage of them are in the wild and being actively exploited. There are flaws in OS X just as there are in Windows, but they all seem to be found and fixed before they run rampant. I’m betting that if there was something as bad as the WMF exploit on OS X being actively exploited in the wild, Apple would be just as fast to fix it as Microsoft (and ironically, I tried seeing if my machine was vulnerable and it wasn’t because Quicktime took over for WMF files. Doesn’t contribute to my argument any, but still ironic
).
But anyway, that’s all for now. See you back at RIT!