Related articles

• Exaggerated pricing myths on Apple systems aside, Apple’s biggest selling tool is Mac OS X and the fact that you can now run Windows XP or Vista on the same machine native. With BootCamp, you can get the best of both words in a general sense. Let’s make it clear though that if you’re a serious gamer who plays games like Crysis, you would still be held back because of the lack of high-end 3D graphics support. The latest for the Mac is a Radeon HD 3780 — good but not the best available. For most other games and everything else, it really works nicely. Windows drivers for the Mac are fully provided by Apple to enable all hardware on the Mac to work in Windows. So you get a full Mac and a full Windows system. You get the best of Mac OS X and the best of Windows on one machine. At this point, some people will say something like "well the only reason why BootCamp is provided to install and run Windows is because Windows is better." This is not the point. If you already have a PC and enjoy it and find it does everything you need, stick to it. If you’re in the market for a new system to replace a main desktop, this is the article for you. If someone is insistent on one thing, there’s no reason to continue reading. If they’re open to new ideas and new ways of doing something, then read on. The operating system continually refines itself and Apple markets this OS as the ultimate desktop experience. Lest there be any confusion, Apple also sells OS X Server although the market for OS X server is admittedly very tiny. Who needs pretty graphics in a serious server environment anyway? Most of the time, there no head attached to a server — things are administered through a remote terminal. Mac OS X is also based on a very robust UNIX foundation, which lends itself to being quite secure and powerful. However, given that the market share for Macs is much smaller than Windows, its prevalence to attack ratio is also lower. There are simply a greater number of Windows machines to be exploited. If the market shares were reversed, we would see Mac OS X exploited at a far greater level. However, keep in mind that the majority of Internet websites run on a *nix back end, it demonstrates that at the core, there are fewer holes to begin with. At the end of the day, anything that’s used more will no doubt reveal more security holes. An entire in-depth review of Mac OS X Leopard is beyond the scope of this article, and would require adding more than 10 pages, so we’ll leave that for the future. In fact, Apple is preparing the next major release of OS X, called Snow Leopard and we’ll definitely look at that release when it ships. For now, I highly recommend John Siracusa at ArsTechnica’s review of Leopard for a really good understanding of why OS X is so powerful and why it’s very good at scaling into the future. Expect to see things like the new powerful ZFS file system be introduced, which will allow for such features as byte-level delta backups. The lack of a registry makes everything a bit more agile. Applications store their own settings in .plist files or within themselves, making for installs and uninstalls a snap — just drag the application over or delete it. Rarely do you have to worry about lingering or overlapping system files. In a nutshell however, OS X delivers what many Windows users have to install several utilities for — and the majority of the good ones come with a small fee. Let’s take a look at some of these features.

• Alan: That’s a great point. I recently submitted a request to Apple to allow selective file sharing policy on my notebook. Its fine to have file sharing enabled when I’m at home, but when I’m at a coffee shop or other public access point, I hate having to manually disable file sharing. Dino: I really like Apple’s Network Locations feature for network configuration and I would also like it if I could associate my network security settings with it also. Windows Vista actually has a good system for this by letting the user identify networks they connect to as “Public,” “Private,” or “Work.” Alan: Earlier this year, Steve Balmer talked about Microsoft's investigation of Webkit and ultimate decision to stick with Trident. Web developers would love to have more consistent rendering engines, but from a security standpoint, does it make sense to standardize around one set of code? That is, last year's MacOS exploit and the iPhone exploit were both breaches in the same underlying Javascript code. Since IE8, Firefox, Chrome, and Safari use different Javascript engines, a single exploit wouldn't be able to target all of them. Or, do you think standardization is better because you can collectively pool your resources to develop more secure code? Dino: While standardization helps create a more secure single standard, it means that any breach of it will be highly applicable to Internet systems. I believe that more diversity in computer systems helps strengthen the ecosystem against attack. Having many diverse targets decreases the profitability of malware and once it ceases being profitable, there will be much less of it. Alan: If you had to make a recommendation: Mac, PC, or Linux?  Or do you find them to be equally (in)secure? Dino: For most consumers and home users, I recommend a Mac because they are currently targeted less by Web malware. They also tend to be easier to use so I get less tech support calls. If a user is slightly more technical and/or adventurous, I recommend that they give Ubuntu Linux a try. I recommend Windows Vista for businesses because it is a more secure operating system and better suited towards management in the enterprise. Alan: Any reason for Ubuntu specifically (full disclosure: I run Fedora on my Linux workstations)? Dino: I have found Ubuntu to be more user-friendly and I personally prefer Debian-based Linux distributions to the others. But I don’t want to start any religious wars here. Alan: For our Windows-based PC users, what are some tips for running a "secure" PC? What about our Mac users? Linux users? Dino: PC users should move to Vista or Windows 7 as soon as possible to make use of their security features. Mac users should do the same with Snow Leopard. Linux users are already pretty well served by the leading desktop distributions, so they shouldn't need to take many additional precautions. For all of these operating systems, the National Security Agency (NSA) Systems and Network Attack Center (SNAC) freely publishes in-depth secure configuration guides that can be followed to further harden your operating system environment. (Ed.: the NSA’s guidelines can be found here)

• Alan: When the NX bit was first introduced, it was supposed to dramatically reduce the amount of malware. Suppose the Alan Dang Web browser had a bug in the code that parses the URL. If I had a Web address that was too long, it’ll end up copying that data into the memory that’s beyond the space allocated for data. The machine will execute that code and now it’s compromised. My understanding is that the NX bit prevents that from happening. But it seems as if the developers of malware simply transitioned to other methods of exploiting a system. Nowadays, the buzzwords are 64-bit ASLR, code signing for kernel extensions, or sandboxing? How much of this will help? Charlie: The NX bit is very powerful.When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me. Alan: And just so that our readers know, ASLR is implemented in Windows Vista (but not XP) and Vista SP1 is required for the full ASLR. Leopard had some binaries placed randomly, but Snow Leopard is rumored to introduce full ASLR. On Linux, kernel 2.6.12 has a weak form of ASLR like Leopard does, but PaX and ExecShield will implement Windows Vista-like ASLR. I know you can't talk about this year's Mac exploit, but let's talk about last year's Safari flaw. To win, you were able to remotely execute code on the MacBook Air. I would imagine that a malicious hacker would have then directly installed malware without triggering the confirmation for root access, etc? Charlie: In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred.  Alan: In hindsight, was there anything that could have been done on the user end? That is, if you had outgoing firewalls, anti-spyware/anti-malware software, weren't logged in as a root user, would that have done anything to limit the extent of the breach? Charlie: None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped.