Lance Ulanoff has written a gloating article about a security hole in Mac OS X. The particulars of the hole in question were that a user able to run a DHCP server on a network containing Mac OS X systems could take control of Macs connected to that network when they next reboot, basically because they were accepting config. information via DHCP.

Whilst this is certainly a hole you could drive a bus through, it’s certainly nothing new, and it’s also certainly nothing we haven’t already seen on the PC platform; there are literally thousands of techniques that can be used to compromise Windows-based systems if you have direct access to the network they are sitting on, and many more even if you don’t.

The author argues that OS X would be just as insecure as Windows if as many people were running it… however, this argument is flawed, in several respects:

1. Mac users do not normally run with root privileges. By contrast, the vast majority of people running Windows have local Administrator rights (the Windows equivalent). This makes it a lot easier to compromise the system, whether by convincing the user to execute a program or script, or by convincing the software they are running to do it on their behalf.

2. Much of the software running on OS X systems originates in the UN*X world, and a large part of that software has been used in some of the harshest computing environments (places like university computer labs) for the best part of 30 years. Windows server and system software is significantly newer; Windows itself has been around for about 20 years, but the versions we run today are based not on that original effort, but on the NT derivative first released in 1993, only 10 years ago. Since then, Microsoft have added large amounts of new code in virtually every release, much of which is (and has proved to be) a potential source of new security holes.

3. OS X is designed to require explicit authentication whenever unsafe actions are necessary, even if admin users are logged-in. This makes it harder to write viruses and other malware because much of it would require an administrator to explicitly authorise it to execute! By contrast, on Windows, anything the administrator executes runs with full Administrator privileges and does not require additional authorisation.

4. Mac OS X uses largely Open-Source components; on the minus side, this means that any security hole in Mac OS X may also be a security hole in other UN*X or BSD-based systems (and vice-versa). On the plus side, however, it is much easier to fix the security holes than it is on Windows (on Windows, you can only really fix them if you are inside Microsoft), and there is a higher probability of any holes being spotted and fixed by white-hats before the black-hats successfully exploit them.

5. Mac OS X does not use the ridiculously insecure NetBIOS protocol (which was originally designed for use on corporate LANs, and it shows). Microsoft still makes extensive use of NetBIOS-over-TCP, which is still the core protocol for many of their server products. Steve Gibson’s site, Gibson Research Corporation, contains a great deal of information about why NetBIOS is bad; indeed, many of the current security holes plaguing Windows users (like the annoying popup-message spam) are a direct result of poor security in NetBIOS.

I do agree that the smaller number of people running OS X contributes to the security of the system (because hackers are less likely to bother with it), although it is still the case that hackers do attack UN*X systems of one sort or another, and some of those exploits will work on Mac OS X just as well as they would work on (say) Linux. The cost of Apple hardware is also undoubtedly a factor; it’s hard to break-in to a system that you don’t have set-up for yourself, not least because many of the more advanced techniques involved in compromising a machine will simply cause crashes unless you get them just right.

Nobody in their right mind would claim that Mac OS X is virus-proof or hacker-proof. It isn’t. But it is an undeniable fact that it (a) has fewer security holes than Windows and (b) has additional security measures that make compromise more difficult.

I’ve been pretty disappointed over the past year or so with the quality of reporting from tech. journalists, both those on the web and those working in the more familiar world of print.

I used to be a regular reader of PC Pro (indeed, I used to subscribe to it), but over the course of the past year I started to see a worrying trend… the articles were becoming less and less informative, less and less useful and more and more full of pointless speculation on Longhammer, Clawhorn or whatever bizarre codewords were the current Microsoft/Intel/AMD flavour of the month. Typically, a less-than-technical “IT professional” would make ridiculous predictions about how Intel would be adding instructions to allow Microsoft to create a database file system that would subsume all content and make way for an SQL Server-based panacea under which the One True Operating System would finally sink all competition and leave us with the glory that is the Wintel monopoly, ending all compatibility issues once and for all (I mean, they were all created by awkward Linux and Mac users anyway, right?). Purleease.

I also think that tech. journalists have lost their objectivity. Many of them may as well be on the Microsoft payroll, for all they write about the industry as a whole; I am quite certain that there are now sections of the IT press who wouldn’t even know who SGI or Sun were (other than perhaps observing that “Sun make Java, the competitor to .NET”). Indeed, a worrying proportion of them are so pro-Microsoft that they make unsubstantiated (and irrational) claims about competing solutions in the marketplace. I am referring, of course, to wild claims of “better support” or “lower TCO” for Microsoft-based solutions; the former is simply not true (IBM, HP, Red Hat and Sun all provide excellent support), and the latter is a fiction of almost biblical proportions, the belief of which can only be an act of faith, certainly not grounded in financial reality. I mean, factor in the licensing costs, the client licenses, the cost of anti-virus software (per machine, remember), the additional downtime, the fact that even commercial UNIX (Solaris, HPUX, Tru64, AIX or IRIX) comes with basic features like DNS and mailserver software for no extra cost, the extra hardware costs because of Windows’ unnecessarily high system requirements, the cost of year-on-year upgrades, and even the costs of things like backup software which are included in competitors’ offerings. Then factor-in the lock-in; the difficulty of switching away from Microsoft-based solutions once you’ve got them. They don’t seem quite so attractive now, do they?

As for the age-old “Microsoft is the industry-standard”, granted, a lot of business users use Microsoft Office because they feel that that’s what business users do. But given the extent to which many users actually make use of Office, they’d probably be better off with Wordpad. Or, for a full office suite, something like OpenOffice or its proprietary brother, StarOffice; the former is free, whilst the latter costs between $50 and $25 per user ($80 retail). Both of them support the majority of the day-to-day features from Office, and both are capable of reading and writing Office-compatible document files. Indeed, in some areas, they are actually better than Microsoft’s offering, not least because of features like built-in PDF export, an XML-based file format, FLASH export for presentations and OpenGL support for 3D elements. Yet many IT departments don’t even think of switching their companies to OpenOffice or StarOffice at the next round of upgrades. Personally, I find this failure to properly and objectively evaluate alternatives unprofessional, not to mention a highly questionable waste of companies’ (and therefore shareholders’) money.

I just ran a whois query, and, yet again, my senses were assualted by Network Solutions’ voluminous legal mumbo-jumbo. Apparently,

“By submitting a Whois query, you agree to abide by the following terms of use:… etc etc”

Personally I fail to see how this would ever be enforceable. For one thing, you see it after you have submitted your query, not before, and for another, if you are using a whois server other than Network Solutions’, it is quite possible that you won’t see their legal boilerplate unless you look-up a .com domain (for example).

Where has common sense gone? This rubbish wastes over half a screen of my scrollback buffer, is unenforceable by virtue of the fact that you cannot agree to terms that you have yet to see and is totally unnecessary. If Verisign wish to publish terms of use for their Whois server, fine… but they should put a URL in the output. In fact, this URL would do nicely.

Similar logic applies to corporate e-mail. Why, oh why do corporate IT managers insist on tacking-on some huge unnecessary boilerplate (often two or three times larger than the actual e-mail) to inform us that we shouldn’t take any opinions expressed in it as the opinions of the company, that we perhaps shouldn’t have read it in any case (remember, for the most part these legal boilerplates are tacked-on at the bottom of the message), and that given that we shouldn’t have read it, perhaps it’d be better if we deleted it and forgot about the whole thing?

Do they not realise how embarrassing it is for their employees? That they don’t trust their employees to make sensible comments, or even to send messages to the right place! Yet employees of most companies are free to write letters without the company adding a boilerplate. Even on company headed paper, if they want.

And then there’s the dilemma of what to do with the wretched things when they end-up as posts on mailing lists. Or, worse still, in the mailing list archives. Technically speaking, the bit about not being the person to whom the e-mail was written probably applies. So we should delete them, right? D’oh!

Then there’s the latest pet hate of IT directors… Instant Messaging. Employees might actually communicate with the outside world…shock, horror, we didn’t realise that. Better put a stop to it before all of our sensitive information leaks to our competitors. No, no, no! Your employees can leak information to your competitors much more easily without using IM programs, and, equally, there are much easier ways for your competitors to obtain such information without snooping on your data traffic (which, by the way, is actually quite difficult… much harder than, say, bribing an employee, tapping a telephone line or even just walking into your building and taking it!).

Employees use IM the same way they use SMS messages on their mobile telephones, to communicate with their friends. The only convincing argument against IM software is that it might circumvent your firewall, but there are ways of dealing with that.

In any case, I think the IT world is coming at the problem from entirely the wrong angle. It’s very easy to be influenced by the media, who have a vested interest in over-hyping things (because it sells newspapers, right), into taking an altogether too draconian approach to IT security. Indeed, some of the companies who operate in this area are also guilty of hyping it up (well, it does sell their products, after all).

I propose a better, entirely novel solution: trust. Trust your employees. If you’re uncomfortable about doing so, then call a meeting and tell them that you’re going to try trusting them, just to see how it feels. Tell them that they will have to take responsibility for their actions (so, if they say something stupid that gets the company in hot water, then they’ll have to explain themselves), but let them know that it is their responsibility.

People aren’t machines, and they don’t appreciate being treated as such. Sure, they make mistakes, but everyone understands that (even the courts). Give them enough rope to hang themselves, and, if they don’t, then you’ll probably have more productive staff.

Put an end to Corporate Legal Nonsense, while we still can.

If there’s anyone out there who is thinking of purchasing a Belkin Wireless Access Point and is actually going to use the thing, don’t bother. I bought one, quite some time ago now, and soon discovered that it trashes its WEP key occasionally, usually part-way through transferring large (compressed) files. OK, I thought, perhaps this one’s just broken. So I contacted Belkin, who were very helpful and even sent me a replacement before I’d returned my original unit.

Sadly, that one doesn’t work properly either. It forgets its WEP key less often than the original unit, but it still does it, which is annoying, not least because you can only reset the key from a PC running Windows (for those that don’t know, I defected to the Macintosh some time during 2002, and haven’t looked back since).

Anyway, I got fed-up and did what I should have done in the first place… I bought an AirPort. Owing to the fact that I didn’t want to run all Internet traffic via the AirPort (largely because I have a DSL router with a built-in Ethernet switch), configuring the thing took me a few minutes longer than I had anticipated (but only because I was indecisive about whether my LAN should be connected to the LAN port or the WAN port on the AirPort). I was a little concerned about the lack of an external aerial, but it seems to work fine.

The really neat thing (which I didn’t really expect, since I was just buying something to replace the Belkin unit) is the USB printer port. I could already print to my laser over the wireless link (the laser printer in question has a network card), but the addition of the AirPort has meant that I can get at my inkjet as well :-)

OK. I think I’ve finished the redesign now. A big improvement over the original (default) template, I think you’ll agree.

The site also now has a spam filter (thanks, Matt), so hopefully no more unwanted adverts for Viagra. I hadn’t really been paying much attention/spending much time on my weblog, as I’ve been busily beavering away on my program, however this entire spam incident increased my desire to really sort it out.

Anyway, I’m afraid that I haven’t validated the HTML (or indeed the CSS). It seems to work OK in Safari and Internet Explorer (the Mac version, at any rate), which is enough for me, for now.

I’m in the middle of doing a new style for my site. If you’re looking at it in the meantime, it might be inconsistent or just plain wrong :–( Please bear with me.

Aaargh!

The spammers just get worse. Now they’re spamming weblogs as well as everything else. Just to make it absolutely clear, the comment facility on this weblog is provided for legitimate readers only; use for advertising, including but not limited to advertising of a possibly offensive nature, is expressly prohibited. You are only authorised to access the comment system for the purposes of responding to an entry on this blog, or to reply to a comment that was a response to an entry.

Well, after a lot of work, the command line version of my program is now functional. It still needs some polishing, and a lot of testing. Plus there’s a GUI to do, and a manual to write…

But, nevertheless, it lives!

I’ve been getting annoying warnings from Apple’s GDB recently about out-of-date symbol files that it is ignoring, and I couldn’t find any way to sort it out… until today, I noticed that one of them had a path associated with it, so I went snooping.

Anyway, to cut a long story short, if you start getting these warnings, the command you need is

sudo /usr/libexec/gdb/cache-symfiles

I think we need an FAQ for the Apple Cocoa-dev mailing list, so I’ve written a draft for people to peruse and comment upon.

Update 2011-10-14

This FAQ is seriously out of date, so I’ve removed it.