I recently purchased a 12in Powerbook G4. Being an AO member and a security nut, the first thing I did was lock down the firmware and the factory install of OSX. Unfortunately there wasn't much more I could do to lock it down. I was realy dissapointed. The fact is, the PB is the most secure laptop I have ever, ever seen, or heard. Here are some of the highlights->

--Firmware retains state un-powered, so you cant just pull the battery to reset it like you can do in a PC.
--Command security mode asks for password on firmware commands and target disc mode.
--Don't even think about single-user mode.
--Unix file permissions. :)
-- BSD :)
--OSX is really secure by default.
--OSX's IP firewall is impeccable.
--Disk Copy can create AES encrypted dmg's
--Root is disabled by default

In the end you have probably the most user-friendly and secure end-user OS in the world running on top of hardened firmware. Wow, that baby is rock solid.

Mac also has an advantage being that its not as widely used as Windows, and as well with any other OS not MSoft owned, is that it has a less chance of being hacked. Yes still hackable of course but youre a lot safer since most skiddies are using tools against windows.

and thanks for the info, ive been wanting a mac to do graphics on for a long time.

Yeah, I'd have to agree. OSX is a very nice OS, and it appeals to security nuts, especially because of it's mac/unix hybrid nature. Fun computer to own and use, if only I could afford one :( .

umm, single user mode is still there... command+s

on the whole i have to agree with you, I have a PowerBook G3 running Jaguar, and I am impressed with the way that apple has managed to keep most of the services off and yet still cater to the Mac audience that hates having to do things the hard way. I live in the command line, sometimes breaking into X-Windows to run some clever security tool..., I'm about due for a reinstall though as my 6 gig HD is getting bogged down by excess crap that I'm too lazy to weed out, but hopefully a 30-40 gig Travelstar is in my near future.

Unfortunately I think that I am at the last generation of X that I can put on my computer..., my 400mhz G3 is getting pretty ancient and I saw it as the minimum requirement for some mundane bit of software..., I guess I'll have to save up for a new comp before I get to play with Panther...

Crap, loud thunder, awefully close, as much as I dislike this Windows box I am on, I think I will shut down and save it from frying...

later,
Dhej

yeah, unfortunately, command+s will get you in single user mode, unless you have Open Firmware's command security mode enabled. Then you can't do nothin unless you have 5 million years and steel hands.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Dhej
Unfortunately I think that I am at the last generation of X that I can put on my computer..., my 400mhz G3 is getting pretty ancient and I saw it as the minimum requirement for some mundane bit of software..., I guess I'll have to save up for a new comp before I get to play with Panther...


Actually according to Mac Os rumors as well as a couple of developers with Panther dev previews, 10.3 is supposedly going to be significantly faster than 10.2.X across the boards from a low-end Imac G3 on up to the G5.

You could also just upgrade your chip for $300-$400. Not as nice as new machine but it sure beats paying $1200+ in Apple tax.

Great source for rock solid G3/G4 upgrades:
www.powerlogix.com

Also, just so you know, Unix file permissions are perhaps the worst of any discretionary access system. Multi-actioned commands, transitive rights, impossible to predicting rights propigations, poor granularity on both objects and rights are just a few of its problems.

In conjunction with various other system aspects, according to ISO and the DOD these laptops are recommended only for the lowest security environments.

OSX isn't really FBSD either... prolly as much FBSD as NT is. But the very core architecture of NT and OSX are that of a microkernel while FBSD is a modular kernel.

On the other hand they are very fast and pretty and do a wonderful job with video editing. :) (though oddly, all 5 people I know that own one, have had dreams about it breaking in half... odd odd)

catch

Since OS X seems to be big on stability and security...what kinds of things does Jaguar do to the OS that makes it more effective? I haven't gotten a chance to use it yet and I was curious as to any of your experiences with it...

On Unix file permissions... I will agree with you that POSIX DACL's are much more effective when implemented properly. However, it is sometimes very difficult to make a POSIX ACL secure, but for unix, you know a file with "rwxr-x--- root root" perms is locked down and one with "rwxrwxrwx" isnt. Another thing is that unix forbids file or directory deletion/creation except by the owner of the parent directory. That is much more discretionary than POSIX where anyone with modify privs on the directory can add/delete and any admin can take ownership of any FSO. In Unix, only root has that right.

The simple fact that UN*X's DAC uses multi-actioned commands means that rights propigation is impossible to predict as rights become transitive, this makes it impossible to calculate the security of most objects. Even NT answers this issue while still using a single level system, but utilizing more finely grained commands and the deny ability.
Not only this but nearly all of the UN*X systems that have been retrofit as multi-level systems are still considered too weak to actually be used in a multi-level secure production environment.
UN*X's huge mistake was not switching to ideally the harrison-ruzzo-ullman security model or at the very least the graham-denning model. Their failure to do this has resulted in their systems from being shunned for all medium to high security environments, which is a shame because in many regards UN*X is very useable.

Though, don't even get me started on the superuser account... ick ick ick. :)

catch

unfortunately apple built in a way around the open firmware password. If you have physical access to the machine then all you have to do it add or remove some RAM and then zap the PRAM 3 times and presto instant access!!!!

I've used ManIntosh since, well, before hard drives were popular. I remember begging dad to get the LATEST THING... Color. Theyve come a long way, but the one thing that disappoints me about Apple is compatibility. Apple's hardware is outstanding, the system is very robust, the graphics are amazing... But there is simply a lack of choices in software. The average user isnt as concerned with the raw power of the processor, but how many bells and whistles they can install, hence the popularity of Windows XP. Also, the average user these days couldnt tell you the differece between Unix and Eunuchs. I myself im admittedly no expert, and I plan to take that course in a few weeks at the loacl college.
One thing that used to be a huge topic, at least in my household, was the nebulous rumor of a MacIntosh system, code named "Rhapsody" that was to feature "open architecture," so it would run "anything." A few years after this rumor was started, or at least it was mentioned by my father, the "PC compatibilty cards" were featured in the new Powermacs, and after reading about them, i was woefully disappointed. Of course, not being much of a power user, the next household fad was "softwindows." Immediatly, with allowance in hand, I trudge to the mall to stock up on a pile of PC games. And lo and behold, when I started the game, it was slllooooooooowww.
No fault of MacIntosh. I think it was before it's time. And had MacIntosh never come about, we might still be doing everything via command line!

Mac sux..
tho that is my oppinion..

Nightfalls_Girl

Hi, an interesting thread, so here is a little off-topic humour (A true one!!!):

Q: What is the most INSECURE laptop in the world?


A: The one issued to the senior MI5 officer (British Counter-Intelligence) who left it in a Soho (sleazy sex-den part of London) nightclub :)


My "real" point , though, is that physical security is paramount. Give someone long enough with the actual box in their own lab environment and you are history. Laptops (by design) are highly portable and therefore, highly vulnerable? They are not very popular in the Defence Industry for this reason.......even though it was MI5 who positively vetted my security clearance :D

What has been achieved, IS a major step forwards IMHO, but there is still that gnawing doubt about physical ownership/security?

Anyway, some security is better than no security ?

Just a few thoughts

Dumb laptop terminals using ideally line of site wireless connections are quite secure and very popular with the DOD.

catch

Good point catch,

You are way more up to date than me, or is it similar to using a thin client and Citrix to get you to an apps server?

I remember the old 5250 emulation modules for PCs................got you to the midrange/mainframe, but did not record anything in the PC that might be a security compromise.

Going wireless does raise a whole raft of other security issues though...NONESTOP an d the like?


Cheers

Johnno

Wireless can be very secure, line of sight using a spread spectrum signal is one example. This requires the attacker to physically be between the terminal and the access point as well as requiring them the pick up singals which are below the noise floor.

If you are worried about threats that can break this, you are going up against some serious heavies. Kiddies, crackers, corporate spies, whatever will just look for another method.

catch

Catch...........once again thanks.............

yes it is "serious heavies" or better here :)

the others would not understand the information.............believe me :D


Thanks again..........you are a real asset to this forum IMHO

Nice weekend to you and yours

Johnno

there's somthing to be said about dumb terminals that do not allow one to do more than the research they need to do... Keeps the problems to a minimum. Unfortunately most of us need and want more than just a dumb terminal to work and play with.


Keeping a secure system does take a some work, you have to keep up on things and do them.

Depening on you threat and security levels needed in your work encrypted disk/file systems my be needed. Along with physical security and data/system integrity tools to verify that nothing has been tampered with. Never writing sensitive files to an unencrypted disk and securely deleting them even on encrypted media...


and on and on and on......


th

Yeah, right on.... OSX :-)

Couple notes:
It's pretty easy to disable single user mode on Apple hardware. Anyway, half the time that you might have time to get at single use mode, you probably also have time to just steal the damn box (as nihil pointed out).
MacOSX is pretty new, there are a lot of undiscovered holes. It has the advantage of newness, which means there aren't really many click-n-run exploits, but as those of us who read bugtraq know, it's far from perfect. From a pure security standpoint, I'd give OpenBSD higher ratings than MacOSX. So, I guess, 2nd most secure laptop ever :-)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by hard-mac
unfortunately apple built in a way around the open firmware password. If you have physical access to the machine then all you have to do it add or remove some RAM and then zap the PRAM 3 times and presto instant access!!!!

Just tradind the ram slots will do the same thing
lol



im 9 yr mac user and can hack command line through 10.2

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=245198#post661678) by Nightfalls_Girl
Mac sux..
tho that is my oppinion..

Nightfalls_Girl

Most think this until they start using one. I hated the Switch commercials, especially about the one "switcher" who claimed to have over ten years with UNIX and computers. I started with my certs with MS, woke up to Linux, and am now loving my four year old Powerbook G3. Still love Linux, but I love OS X even more. Look for my Switch commercial to debut at this year's Superbowl

I will buy a macintosh when Kazaa lite comes otu for it along with soem other software I really like for PC's (like gaming).

Yo, if you want graphics heres what you want to do. Downlaod KaZaA Lite K++ Edition (sorry, has to be on a pc) and search for the program you want but dont want to spend money on. By searching around, you can ussually find all of the tools and pieces to be put togethor to be equivalent to the 500$ piece of software out on the shelf somewhere. Its not illegal, since all you are doing is sharing the spoftware.

Now I dont mean to be crude or anything, but somehow mac just seems TOO protected. I dont think its really so great because while everything is pretty well protected, it seems like regular windows using OS's have more freedom. You can load whatever program you really would like. With mac, everything has to have a mac version. Like AIM and such. Its just not as good on OS's such as the Apple Os9, you cannot transfer pictures through IM. I mean I love Imac and its systems, they are great compaired to the older versions of mac computers, but i still think freedom for everything lies in your standard microsoft computer, for things like Kazaa instead of Itunes, (No payments required) and less of a hassle. I dont know. Just my opinion, does anyone agree with me??

Hahah... I will buy a macintosh when it allows me to illegally download music from other people. And you don't need a mac for graphics because you can go out and download all the software and install it illegally on your computer. Great posts guys :/

Oh yeah, and just because mac doesn't have kazaa, doesn't mean that there isn't file sharing. Limewire, acquisition, etc.

You can also install yellowdoglinux and have access to any linux programs by simply rebuilding source RPMs. And then there is fink which has ports of most useful *nix programs to Darwin.

R3Zelite> I use OSX. I transfer pictures over AIM/YahooIM/ICQ/IRC... I have never had a problem loading any programs on here. Of course you can't load windows programs on a mac unless you use VirtualPC or some other emulator. You say you can install any piece of software on your Windows machine that you want. Well, I have always wanted to be able to run BBEdit on windows. It is at http://www.barebones.com/products/bbedit/index.shtml When you get that installed on your windows machine, please send me a screen shot and tell me how you did it. Kazaa isn't a media player, its a p2p program, while ITunes is an mp3 player. You should compare ITunes to WinAMP instead. ITunes does allow you to purchace music from the music store, but the actual player is free. Oh yeah, and it has been ported to windows. I don't see any way that you have more "freedom" with windows. And OS9 just sucked azz compared to OSX.