Related articles

• It’d be easy to set this platform up on an open-air test bench, marvel at its size, rattle off its specs, run a couple of benchmarks that show it to be better than Intel’s own Atom-based boards, and give it an award. There’s nothing wrong with open-air testing. There’s nothing wrong with specs, benchmarks, or awards, for that matter. But you’re not going to get the feel of this diminutive little box unless you use it. So, with a HTPC usage model in mind and the issues first encountered in our review addressed, I built up a mini-ITX system around Zotac’s Ion offering, using Windows 7, 2 GB of DDR2 memory, an OCZ SSD, and a slim Blu-ray player that Nvidia was kind enough to send along. Let’s start with DVD playback. This is one area where the Ion is destined to shine given its GPU-based hardware capabilities. I played through several Blu-ray titles with Dolby TrueHD and DTS-HD Master Audio, and they were delivered smoothly. Though my modest theater room isn’t large enough for 7.1-channel sound to make sense, PowerDVD 9 had no trouble decoding the latest lossless codecs and outputting a 5.1-channel LPCM stream to my Onkyo SR507. All in all, as a platform for playing movies, Ion handles business—though once you’re done buying storage, memory, and a chassis, I almost wonder if it wouldn’t be easier to just grab that Playstation instead.  Next up is TV programming. I don’t watch any cable television, but I do hit Hulu on occasion when I eat dinner in front of the PC. The site employs Adobe Flash 9, which is going to need to be processed on the dual-core Atom processor. And indeed, this becomes a problem. In watching the pilot for Glee, it simply wasn’t possible to go full-screen at either low-res (320p) or high-res (480p) on my 50” Samsung running at 1280x720 (in the words of my wife, “It’s too distracting to try watching like this Let me know when you’re done playing around”). The standard browser window mode worked fine, but from 10 feet away, you’re really defeating the purpose of pulling this platform into a home theater environment. Of course, I didn’t expect .mp3 playback to be an issue, so I tried to give the Ion setup a slightly more challenging task constrained by I/O performance instead: streaming audio wirelessly from a NAS attached to the network via Gigabit Ethernet, while indexing a folder in the background. This is something that happens almost-transparently on most desktops; however, it brought this HTPC build to a stuttering stand-still (even with an SSD). Purpose-Built HTPC, Perhaps Fortunately for me, movies are all I really do in the theater room. For that purpose, Ion works. And it’s hard to argue against the board’s form factor (though, to that end, I’m still a fan of the LGA-775 mini-ITX alternative). Keep your expectations in line on this one, though. Any time you’re not taking advantage of the GeForce 9300’s GPU acceleration, you’re at the mercy of Intel’s Atom CPU. On the desktop, that’s really a recipe for frustration.

• Alan: Reading between the lines, do you know of a startup that’s working on such a solution? The Mac would actually be a great platform as the proof-of-concept--there’s a predictable set of hardware that would have to be supported. Dino: There are a number of products that provide behavior-based anti-malware for Windows, but I also would love it if there would be a solution for Macs as well. Alan: When we talk about general, rather than signature-based solutions, and think about Gray Hat strategies, we have to talk about things like Deep Packet Inspection technology. The “Golden Shield” project (a.k.a. the Great Firewall of China) was developed by the Chinese government to censor the information their citizens have access to. The NSA used Deep Packet Inspection to identify Voice-Over-IP packets to allow wire-tapping of VoIP conversations in the same way they could do so with the regular plain old telephone system.  With that said, what do you think is the role for desktop deep packet inspection? If I had a box between my computer and the Internet, it could make sure that random data wasn’t going out.  Dino: I don’t think deep packet inspection has a role on the desktop. That is a like watching your living room TV from your backyard. You already have the data and processes running on your machine, your security systems should examine them in that state where they have more information on the behavior. Alan: But as a separate box, it may be possible to minimize the risk of a sophisticated exploit that disables the security systems that are running on the same machine. The box would have its own OS, would not be exposed to breach via Web browsers or plugins that run on the same device? Or do you think that today's security tools are "good enough" where that extra level of paranoia is overkill? Dino: A secure hypervisor or even a kernel driver would be secure enough for most home users if they didn't run as an administrator when they were surfing the Web. It is way easier for malware to evade packet inspection than it is for it to exploit a kernel vulnerability. There is absolutely no reason why Web malware couldn't be delivered over SSL, except that it hasn't been necessary up to this point. Alan: Many of the exploits demonstrated at Pwn2Own have come through non-core operating system elements such as QuickTime (your exploit in '07), Adobe Flash, or Web browsers (IE8, Firefox, and Safari). In hindsight, was there anything that could have been done on the user end? That is, if you had outgoing firewalls, anti-spyware/anti-malware software, weren't logged in as a root user, would that have done anything to limit the extent of these exploits? Or are we at the mercy of the software developers to protect us? Dino: No matter what, users are at the mercy of application and operating system software developers. The user can only take secure configuration and third-party security add-ons so far. Outgoing firewalls still have to allow the Web browser to connect to Web-based TCP ports, so an attacker can simply program their exploit payload to do the same. Anti-spyware and anti-malware systems catch high-level actions that malware takes, such as installing back doors, so they may not notice the simpler remote shell payloads used in Pwn2Own exploits. Even if users log in as less-privileged accounts, an attacker may still gain access to their data. A less-privileged account makes it more difficult for spyware to maintain persistent access to the system, but does not prevent gaining initial access. Disabling unneeded plugins reduces the risk of attack, but there are not enough options in current Web browsers to disable little-used functionality or restrict them to trusted Web sites. Internet Explorer has the most flexible security policy settings, but even it does not let you grant Flash or Java access to selected sites. Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve.

• Macs are NOT hack-proof. They are not inherently more secure than Windows PCs. In real-world use, however, OS X is more secure. Why is that so? Myth #1: The average Mac OS user may be more tech savvy than the average Windows user and less likely to succumb to social engineering. This may actually be true. Before you fire off that email to complain, keep in mind that the Tom’s Hardware audience isn’t the average Windows user. You’re at the upper echelon of the group that builds PCs, keeps up with the latest technology trends, and does its own research before making a tech purchase. I’m not saying that Mac users are smarter than Windows users. Just the averages. If you think about the ubiquity of computers in North America, Europe, and Asia, then the average Windows user should in fact be close to the 50 percentile for the global population. If you think you’re better than 50 percentile, then you, too, are better than the average. If you look at the market, it makes sense. US Census data has long shown the association between level of education and household income. Since Macs are inherently more expensive, it would follow that the average income of a Mac owner should be higher than the average income of a Windows owner, and along those lines, the average education of a Mac owner should be higher than that of a Windows user. That bears out in large surveys. About 70% of Mac users have a college education whereas only 54% of Windows users have a college education according to a 2002 Nielsen study. Ultimately, it’s not the “average” that matters--it’s the least tech savvy in any group that ruins it for the rest of us.  Take spam for example.  Recent work from UC Berkeley and UCSD determined that out of 350 million pharmaceutical spam messages sent via the Storm botnet, 10,522 users visited the site and 28 people tried to actually make a purchase. It’s those users that make spam profitable and make it a problem for the rest of us. At another level, there is some truth to this claim because Mac owners have to be consciously making a switch to the Mac. Either they’re technically savvy users who are comfortable dealing with cross-platform issues or they're technical neophytes who are still smart enough to know that they don’t know anything and therefore choose the Mac as their one method of trying to stay safe. It’s the Windows users who don’t know even know that they’re vulnerable who drive the statistics up. This myth is true if you consider the statistics; the myth is unimportant. Myth #2: Mac OS X have a superior design In theory, Vista should be the better-designed operating system. Microsoft actively invests in extensive security capabilities and the Address Space Layout Randomization in Windows Vista and recent security analyses comparing number of risks and “days at risk” show that Windows Vista users actually fare better than Mac OS X users. The problem is that these analyses are limited to “security holes we know about” and get patched. Suppose two operating systems have 1000 holes in them. If one manufacturer patches 400 of them, and the other only patches 40, which is the more secure system? The answer is neither. It only takes one hole to compromise the entire system. Myth #3: Macs are targeted less frequently. Malware is profit-driven. Since there are fewer Macs on the market, the hypothesis is that commercial malware operators will not target the Mac until they reach a critical threshold market share. At some point, Macs will reach critical mass and it will be as big of a target at Windows. An analysis performed by the Director of Emerging Technologies at Cloudmark and published in the IEEE Security and Privacy has an interesting hypothesis. Using game theory, he predicts that Macs will become an economically-feasible target once the platform breaks 16% market share. Even with the success of the Mac, we don’t see Apple reaching that level for a few years (if that). Then, once the Mac reaches that level of market share, the assumption has to be that developing malware for that Mac costs the same as developing malware for the PC, and this may not be the case. In 2008, there were 1.5 million different pieces of malware targeting Windows machines. There are less than 200 pieces of malware targeting the Mac. Myth #4: Pwn2Own This one comes from the comments section of our State of the Personal Computer piece from late last year. The story about the Pwn2Own contest is that a hacking contest was held to see if Windows Vista, Ubuntu, or Mac OS X was more secure. Hack the machine, and you win the computer. The MacBook Air fell 2 minutes after the start of the contest. Windows Vista fell the next day. Ubuntu remained unhacked for the entire 3 day competition. Therefore, Macs are the least secure, followed by Windows Vista, followed by Ubuntu Linux. That’s how the story goes. The details are where things get interesting. It’s easy to imagine Pwn2Own as this free-for-all death match with hundreds of hackers going at it for glory and fame. In fact, Pwn2Own was a contest with very rigid rules. You had to wait in line to attack a target. Only one team had an opportunity to hack a machine at any time. Each opportunity was 30 minutes, and if you are unsuccessful, you have to go back to the end of the line and wait your turn. You can only wait in one line at a time, and you can only win the contest once. First come, first serve. Only four teams participated. Day 1: Win the notebook if you can do a true remote execution attack. No attempt was made. Day 2: Web browsers and mail application will now be allowed. The organizers of the competition will visit a Web site or receive an email. The winner of the MacBook Air knew that he had a previously undescribed flaw in Safari that would win the competition. He was the first in line that day. Hacked in 2 minutes. The two minute story makes for a great story and lots of publicity for both the conference and the security researcher, but no one really talks about the time spent BEFORE the contest to discover the exploit. Day 3: Common plug-ins are now installed. The Vista notebook is hacked via an Adobe Flash exploit. The two-man team that took down Vista did so with their personal MacBook Pro notebooks. Although the Vista notebook wasn’t the first to go that morning, the Flash exploit that affected Windows Vista also affected the Ubuntu Linux machine that had Adobe Flash installed. The contestants just weren’t interested in trying to win the Ubuntu machine. No one signed up to try to hack the Ubuntu Linux notebook according to the organizers. So, when you read an article talking about Pwn2own, the fact still remains that OS X has not been the target of active remote execution exploits or browser holes in real-life. Current OS X malware exists only in the form of Trojans in which the user is willingly installing software and willingly entering the administrator password.