Re: computers & operating systems Message #48 Posted by Les Bell on 6 Apr 2012, 2:09 a.m., in response to message #47 by M. Joury
Quote:
Isn't that safety vs. security however?
I'm not aware of any such distinction in the general literature and everyday usage of information security. If you mentioned "safety" to an infosec person, he would probably think it referred to embedded systems in transportation, aviation, power generation, etc. where there's a risk of physical accidents. (The academic literature, particularly on formal methods, has other, more specific meanings for "safety").
So, to me, security is essentially the preservation of various security properties of a computer system and the information on it:
* confidentiality (and the related concept of privacy)
* integrity (of the information, including the system configuration)
* availability (of the system and its resources such as CPU and bandwidth)
(This is an abbreviated list - there are other properties in the literature to cover obscure applications).
So it doesn't really matter whether you suffer loss because of a worm infecting your system and using all your ADSL bandwidth to send phishing emails, a virus installing a keystroke logger and grabbing your online banking password, or your leaving your laptop on a train and someone successfully reading your confidential company reports off it. In all cases, it's a security breach.
But really, that's just a semantics issue.
Quote:
I never argued that PC's don't suffer more attacks and infections. But isn't that a measure of how many "Bad Guys" are targeting each platform?
If you're counting incidents of attack or infection, it has more to do with relative market share and the number of PC's vs Mac's connected to the Internet at any one time, combined with sizes and speeds of the botnets which are spreading infections, the currently-known vulnerabilities, etc. However, one very important part of that equation is the number of distinct vulnerabilities on each platform which are available for the Bad Guys to exploit - and that's a much higher number for the Windows platform than for the Mac and Linux, because of the factors that I listed earlier, plus some others. In essence, it comes down to the old mantra: "The enemy of security is complexity" - and Windows is just too complex.
Quote:
The security experts in many of those articles I scanned
In many cases, I think you'll find those are journalists, not security experts. ;)
Quote:
I would definitely suggest a Mac over a PC simply because they are targeted less.
They're targeted less primarily because they present a smaller attack surface and harder for the attacker to compromise. There are enough Macs out there - and they're owned by "Mac fanbois" who think they're invulnerable and so they don't have anti-virus, third-party firewalls, etc. and who also must have more money than sense, don't you think? - that they represent a highly attractive target for hackers. And yet, the hackers aren't making much headway against them.
Quote:
As a PC user one has to be more aware of what they are downloading, what software they are running, and also has to (or at least should) run a decent AV suite.
That's exactly the point. You have to do those things because Windows is inherently less secure than OS/X or Linux. Q.E.D.
It has (and has had) more vulnerabilities, which gives rise to more distinct exploits. And that's why it attracts more attackers.
Quote:
everything that I have read in the past 5 years or so makes the claim that the Mac OS is no more *secure* (as in less crackable when targeted) than a Windows PC
I think you may be being a bit selective in your reading. ;)
There's also a tendency to publicise any exploit against the Mac, perhaps as a rejoinder to those (few) idiots who insist that the Mac is "totally secure".
Quote:
In fact, in those competition to break into machines, the Mac seems to fall victim first.
No - that happened once, at the CanSec West "Hack it to own it" contest a few years ago. The winner had stumbled across a new browser exploit which he carefully kept to himself and polished specifically to use at that conference. It's the exception, rather than the rule - which is why it's so memorable, of course.
Let me briefly turn to the OS/X "Flashback" trojan which hit the newspapers yesterday (again, newsworthy because it's so unusual): although it targets Macs specifically, it relies on a Java vulnerability (CVE-2011-3544) which would work against the Java Runtime Environment on Windows, Linux and other platforms, too. In order to get itself installed on the Mac, the trojan actually prompts the user to enter the admin password; a clueful user will wonder what caused that, and not enter the password (the trojan will try other techniques if it doesn't get the password (actually using vulnerabilities in the Microsoft (!) Office apps, and then Skype). On a typical Windows XP system, there's a high probability that the equivalent trojan would never need to ask for an admin password, because the user would already be running with admin privileges - a small point in favour of the Mac.
In any case, any Mac user who had followed Apple's advice to use the Sun/Oracle JRE and update it regularly (which the JRE automates) would not be vulnerable. In the private security mailing lists that I subscribe to, all the discussion has been framed as a Java issue, not an Apple issue.
I will say that Microsoft has done a lot of good work to improve security in their products, within the constraints that I mentioned in my original post. The culture within the company has improved enormously within the last five years or so, and Windows 7 is a much better platform, from a security perspective, than Windows 2000 and XP. They're probably playing in the same league as Apple, at this point, but still have a lot of work to do.
Best,
--- Les
[http://www.lesbell.com.au]
|