I found this article interesting, nothing like a security-based company stating their own opinion on which OS is more secure. :D

From PC-Pro.com:
Sophos says Apple good security choice 2:39PM

Experts at UK security company Sophos suggest Apple might be the best route to security for the masses - that is, until consumers all buy one
UK security company's senior technology consultant Graham Cluley rolled out the damning virus statistics for 2005, showing that with a 48 per cent rise in new viruses, buying a Windows box has never been more risky.

This year saw nearly 16,000 new viruses added to the Sophos database. It's a recognition of the responsiveness and efficiency with which the virus underground operates, using a variety of techniques such as using different packaging algorithms, releasing multiple virus variants simultaneously and tweaking old versions to broaden the scope for successful infection.

Last month saw the biggest slew of new viruses on record, with some 1,940 new signatures added to the Sophos library. And with so much advice and code available online, it's never been easier to add to this list. 'It's kind of like open-source,' said Cluley of the ease with which it is possible to access and edit viral code off the Net. 'There is a problem with too much information being out there.'

And it's the ease with which viruses can now be written in conjunction with a generally homogenous computing environment that is the biggest hurdle for computer security.

Virus writers can now be far more opportunistic. The massive numbers of Windows computers hooked up to broadband connections are a big, big target. Whether it's spamming campaigns exploiting avian bird-flu hype, 419 and phishing scams on the London bombings or public proof of concept code for a software flaw, malware authors can initiate a campaign within hours.

Cluley is full of praise for Microsoft however - particularly for the success of Windows Service Pack 2. 'Microsoft should be applauded for improving its operating system, because it has made the Internet a safer place,' he said.

Plug an unprotected XP computer to the Internet and there's only a six per cent chance of avoiding infection within an hour. Add in SP2 and that figure plummets.

Yet that's clearly not the end of the story. And Microsoft itself is concerned over its own figures showing that barely 30 per cent of customers are running up to date antivirus software.

Cluley too thinks that much of the virus infections are within the consumer rather than business space, with millions of computers running out-of-date antivirus software, if they're running any security software at all.

So something has gone wrong. Two-thirds of Microsoft's own customers are not getting the message and shoring up the systems against the viral tide. No wonder it's bringing out its own OneCare antivirus solution for Windows users.

But perhaps they see it as Microsoft's job to provide a secure platform in the first place, and not their responsibility to dig into their wallets to patch up the bits Microsoft got wrong.

Cluley said that a recent survey it took on the Zotob worm revealed that 35 per cent of the businesses polled thought it was all Microsoft's fault.

But Cluley disagreed, on the basis that it's impossible to guarantee a perfect flawless system. It's the homogeneity that is the problem.

'If everyone used the same antivirus, then that's a disaster too,' he said.

In fact, he thinks Microsoft is now doing such a good job on the security front that attackers will increasingly turn to applications and tools such as Google's Desktop Search as the vector for the next wave of attacks.

'They'll be looking for the add-ons and plug-ins that are popular, and used by lots of people, to find holes in and exploit,' he said.

But there are other options. Plug an unprotected Apple or Linux box onto the Internet, and you can expect to see the infection rate flatline, said Cluley.

That's not to say there are no viruses for Mac OS X or the various Linux distributions, but Windows viruses dwarf them.

'It wouldn't really work for businesses,' said Cluley, 'But for consumers I think [Apple] is quite good.'

You can accuse it of security through obscurity, but in a world where 70 per cent of Windows users don't feel the responsibility of securing their computers, perhaps they are better off with a less targeted platform. Perhaps they don't deserve Windows.

Full article here. (http://www.pcpro.co.uk/news/81079/nearly-16000-new-viruses-this-year-says-sophos.html)

No one expects to have to open the hood of a new car and make adjustments
before it is to become roadworthy. Even intelligent users assume that the default install
is the intended mode of operation. you shouldn't have to jump through hoops
to make an OS reasonably safe. Windows fans keep saying that viruses
attack windows because of the installed base. They are whistling past the graveyard.
Windows is more attacked because it is more vulnerable.
:cool:

Hi,


Actually, the discovery of multiple securities in Windows derives exactly from the fact that it is the largest in the marketplace. This is network economics at work. Windows is dissected most precisely because it is most accessible to dissection.


It is also insecure because it is intended to be user friendly and highly functional. Any one who works for any length of time in security knows that security and usability are diametric opposites.


Both *nix and Mac Os benefit from negative network economics. Fewer use them and therefore fewer also abuse them. They are also less accessible to the non uber geek. Mac OS is anyway just *nix with a particularly shiny bonnet and a nice mascot figurine on top.


The 'blame Bill Gates for everything' is getting to be a tired and lame sounding theme in hacker land. Nothing succeeds like success but nobody disses failures to the marketplace either - like who goes around saying 'Betamix- now there was a lame idea!'. Fame has the price of defamation.


BTW all those shiny new viruses - they just repeats of last year's ideas. Nobody has come up with the new big bad yet. They're just taking advantage of poor patching policy to prolong the half life of current viral families.


T E Runyzen

I completely agree with tenzenryu, lol I was actually in the process of writing about the same
subject when I saw someone beat me to it.

Actually, the discovery of multiple securities in Windows derives exactly from the fact that it is the largest in the marketplace. This is network economics at work. Windows is dissected most precisely because it is most accessible to dissection.

If we all used Apple and they dominated the market, then the majority of the worms/viruses would be tearing through those OS's. Im no expert, but thats my $0.02 on the matter...not
to mention Ive been reading through the forums for a while now...and this is my first post:P

-mob

Windows is dissected most precisely because it is most accessible to dissection.

It is not the most accessible. that prize should go to linux, being open source.
Windows is just an easier target. I don't think its popularity explains the
vulnerability. It's more the other way around. Yeah, it aims at ease of use,
but Mac is famous for ease of use, but that doesn't make it easier to
exploit. Anyway, it's a weak argument, claiming that it's only attacked
because of its popularity.

Let's try an experiment, ban windows from the internet and see what the statistics
do over both short and long term. If the other systems suffer from the same amount of malware
I will admit you were right. Either way, we will be rid of Microsoft, and that will be a good thing.
:cool:

tenzenryu I think you missed rcgreen's point.

A PC bought by the average users is a white good, that is, the same to them as a dishwasher or a TV, "Settings and fixes are for geeks and the PC should just work out of the box - end of story".

A new Mac is closer to that goal in that just to switch on the machine and use it initially you won't be logged in with administrator privaliges. Do that with a Windows PC just run with the defalts and you'll be set up as admin.

The market dominance of windows makes it the primary target for people looking for vulnerabilities. But the vulnerabilities have to exist and be exploitable before the cracker can have his/her wicked way.

Out the box Windows is open to exploitation and needs to be closed down to make it more robust.
Out the box a Mac is less open (and also less of a target).

Microsoft released 2003 server with a more locked down setup by default I'd be surprised if Vista wasn't released in a similar way.

Microsoft will never openly admit error for the loose configuration of
past versions, but I agree, they will probably tighten it up in the
future. just like car companies that never admit that a feature was
unsafe, but, sure enough, remove or redesign it for the next
model year.

I stand by the assertion that there has to be some qualitative
difference in the security of the Mac, not that it's just a smaller market share.
Why does that fact offend people so much?
:cool:

Hi,


I think the main point I was making was that I was tired of people dissing Microsoft. It's old is what I am saying. I also think my argument about network economics stands. While you can't achieve security through obscurity, security because of obscurity does happen. It is a mirage. It's not real. And MS security is as someone else pointed out quite good, just underutilised.


Should computers be secure out of the box? Well, I think part of the problem is thinking of computers as white goods. They aren't and probably won't be for quite a while. There will come a point when the number of services that the Joe Sixpacks and their Kiddies require from a computer reach a 'level' and the requirement to install additional software will tend towards zero. At that point, Microsoft will have established the 'white goods' niche that it has probably always being aiming at.


A short time after the security of these machines will mature and Windows (or whatever they call it by that stage) will be as secure as it can be. It will not be wholly secure, anymore than a washing machine is always guaranteed to work, but it will have reached an acceptable level of security and usability that will satisfy the ordinary user.


The risks currently associated with these machines will then transfer to specialist machines, the ones that still offer openess and flexibility in the way they can be used. At that point, look out *nix inter alii.


The risks will also transfer to new technologies especially in the communications arena. I foresee the return of the uberphreaker. I virtually swear it.


T R Enzenyu

And so it goes on...

MS are releasing some more info about how great IE7 is

http://www.theinquirer.net/?article=28304

Read it for yourself, the relevant part (for this thread) is the last paragraph.

Of course the downside of all this is that it will require home users, who have probably just worked out how to install software using default settings, to configure the whole setup properly

I really don't think MS have got it. This is possibly a wider problem of the people who create the software being too close to the problem (can't see the wood for the trees). The programmers see any configuration as trivial just because it is second nature to them. They don't seem to comprehend just how intimidating making even simple changes is to a great many users.

It's like asking drivers to manually adjust their suspension/engine etc everytime they travel on a different type of road.

<edit> Just a coincidence but this article is talking about some of the issues

http://www.theregister.co.uk/2005/12/13/secfocus_popups/

Drifting OT a little but interesting.

Hello-o


It's just I am really getting tired of people who declare themselves l33t because a) they dis MS and b) they can spell l33t - get a life!


I don't think MS have got it wrong - they just haven't got it right yet! They are clearly taking on board the feedback and they are doing something about it. They have certainly got to the point where MS is a really bad platform to try and hack (sorry, I mean pen test) from. They haven't yet got to the point where it is a really bad platform to try and hack into but imo they are definitely aiming for and will eventually achieve commodity usability and commodity security. They are buying out too many people who really know what they are doing to do otherwise.


Yurt Ennez

...and I'm getting really tired of seeing people try to look good by saying "look at me, I'm anti-anti-establishment!". Several things spring to mind concerning your argument:

1. A bigger market share does not ensure more viruses. There's no point in writing viruses for exploits that don't exist. The viruses exist because the holes are there, not just because the OS exists and it might be fun to throw rocks at it. And if it were primarily a numbers game, then shouldn't there be a lot of viruses out there for the areas that Microsoft doesn't dominate, such as web servers? Many (if not most) of those are hosted on non-microsoft platforms. Worms exist for the server software (php, apache, etc.) but not many are targeted at the OS itself, except for MS.

2. You're right concerning security through obscurity. However, what's more obscure than window's source code? Shouldn't it be easier to write viruses when you can go through the code for problems?

3. Security and usability are diametrically opposed? So, should we just give up? What about secure, documented, and validated software? These two things are only opposites when people spit out some half-assed software, with no foresight or emphasis on security, which is what MS did for a long time. Now they are making some steps in the right direction, but sp2 broke several apps on my machine. People say it wasn't Microsoft's fault, but what does that say about the security of XP when it shipped in the first place? And many of my problems affected hardware that was "XP Certified".

Now, I'm not saying that linux or BSD or whatever has all the answers. Maybe MS can buy their way into some good technology, and provide some good security with their plain old basic Home edition, or whatever they are going to call their entry level OS when they finally release it.

Oh yeah, and to answer your question, yes, I do think that a computer should be sold to me that is secure. What's more, your "Joe Sixpack" thinks it should be as well, he just doesn't have the time or energy to mess with it.

Hi,

D**n, I'll have to up the 'anti'.

I think you have to remember the background to all OS security development over the past few years. The previous thing was 'functionality' up to the gills, now it's 'security'. MS like everyone else is jumping on the bandwagon.

Yurt Ennez

While it is true that most mainstream OSs' focus on security has heightened in the past few years, some had an eye on it the whole time. Some were always meant to be multi-user from the git-go. Some have been built on a base that lends itself to security. Windows is not one of those. That's not to say that any others have it perfect, but the road map you describe is the one of Windows, not everyone.

There are some things that Windows has done right. As has been well documented in threads here recently, they do have a more robust set of access controls than the traditional *nix model (at least in Pro). But, there's a reason that Longhorn has been delayed so much. And there's a reason why xp sp2 broke so many things for so many people. They have tried to introduce security into an insecure system, and to do it, they had to change too many things. Starting from scratch is probably the best thing they can do, but then how pissed are people going to be when they can't run their old apps on it? How many developers are going to have to do a serious rewrite of their code?

My thing is, don't say that "all operating systems are the same"; they're not. There is a difference. And Window's performance record, with regards to security, has been shoddy. More shoddy than many other systems, and it's not because there are more of them out there.

As we all know... "Joe Sixpack" is a whiny little bitch.


Technology will never be right as far as the end user is concerned. Usability and security are not directly opposed to each other, but ever password and authentication step does take away from what most people consider usability.


I consider usability to be the fact that I will be able to "use" it, without getting fux0red. I don't give a rat's ass about having to enter a password, or take an extra step or two.




And MacOS is not a bad OS, but as far as being in any way superiorly secured... I'd have to disagree. When I was in CT, I used to break into this dude's ibook almost daily. Thank God for cybercafe's. MacOS is becoming just as bloated and full of bullshit as Windows.

I'm not condoning what I did, but I would like to say I was not malicious. I just had a bit of fun. And it passed the time.

EDIT: I need to add that many of the "security" problems that users have are directly related to their surfing habits and stupid things they do.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=272500#post878002) by KeyserSoze
They have tried to introduce security into an insecure system, and to do it, they had to change too many things. Starting from scratch is probably the best thing they can do, but then how pissed are people going to be when they can't run their old apps on it? How many developers are going to have to do a serious rewrite of their code?



Hi,


Actually this is quite amusing when you think of it in terms of the Internet. It was not designed with security in mind (or at least not what we mean by security) and I haven't heard anyone proposing we start it from scratch.


Also, MS is not the establishment. The establishment is everyone who is in this for commercial gain. The market ultimately determines security requirements whether we wish it too or not. The concept is one of 'acceptable losses' not total security. If a virus blows out your PC, it's not the end of the world. You clean it up and start over - or pay someone to do it for you.

enzt enuyr

Actually this is quite amusing when you think of it in terms of the Internet. It was not designed with security in mind (or at least not what we mean by security) and I haven't heard anyone proposing we start it from scratch.

Uhhh....whatever. Since when were we discussing the security of the net? I thought we were discussing the security of computing devices, specifically end-users and servers. The overall security of the net, along with the devices that power it, is another situation entirely.

Also, MS is not the establishment. The establishment is everyone who is in this for commercial gain.

Ok. So MS is not in it for commercial gain? Yes they are, so by your definition, they are the establishment.

By my definition, the establishment is the entity that is most established, which would be MS. What I referred to are people (like yourself) who seem to get off on ranting about how they are tired of "anti-establishment" (or whatever else you would like to call linux advocates/zealots) people pounding the message boards (which I don't think was even the case here). So I termed "anti-anti-establishment", which was supposed to be a grammatically incorrect, sarcastical term to describe people engaging in said ranting.

The market ultimately determines security requirements whether we wish it too or not. The concept is one of 'acceptable losses' not total security. If a virus blows out your PC, it's not the end of the world. You clean it up and start over - or pay someone to do it for you.

Very true. So when someone posts a link to an article that advises that the public (read: consumer) to look to alternatives (read: choices in a free market economy) for increased security (read: desired product/service), then I think we ought to let said market sort it out, and not dismiss other opinions and options just because MS is "on the right track", or because we're tired of hearing how their OS has been victimized again. If it's getting old, it's because it happens so often.

&lt;rant&gt;I support Sophos. Please, please, please, everyone go out and buy a Mac for you, your friends and all your family members. Let 75% of businesses switch to Mac...please. Then, the virus code writers will target the Mac OS and leave me alone.&lt;/rant&gt;

Basically, whichever OS serves the masses of lusers is going to be the one that is targetted. You can point out flaws in MS/Windows all you want, but the fact of the matter is that it boils down to the users themselves. If people knew five simple basics (download the patches, install a firewall, install an anti-virus software, create a Non-priveledged account for daily use, and don't click on anything stupid) they would thwart 90% of malicious code. Additionally, Unix and Linux are just as vulnerable as Windows if they aren't locked down properly. The best thing you can do is lock-down your box and teach all your friends how to lock-down theirs.

BTW, you'll notice that those four steps are NOT OS specific. Those should be done on every box, every patform, and every user.

In haste I forgot to add patching...sry.

Hi,

I am neither anti estab nor non anti estab. I just think MS are headed in a direction which will include security but is not security up to the eyebrows in the way we would like to see it.

And I agree with the last poster about making people aware but... here's the stupid part...some companies are making security their selling point e.g. AOL advertised that you could switch on antivirus, firewall, parental control etc. My question is: why - apart perhaps from the last one - would you want to make any of those optional?

Rutynezne

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=272500#post878007) by d0pp


And MacOS is not a bad OS, but as far as being in any way superiorly secured... I'd have to disagree. When I was in CT, I used to break into this dude's ibook almost daily. Thank God for cybercafe's. MacOS is becoming just as bloated and full of bullshit as Windows.

I'm not condoning what I did, but I would like to say I was not malicious. I just had a bit of fun. And it passed the time.

EDIT: I need to add that many of the "security" problems that users have are directly related to their surfing habits and stupid things they do.

I'm just curious as to why you were able to break into his iBook? I'm asking because I have an iBook and I'm wondering if there is anything I can do to secure my laptop that I may not be aware of. Sorry if that's off the subject so I'll contribute as best I can to this conversation.

I'm somewhat of a linux fan and I've heard lots of reasons why linux is more secure. You guys pretty much covered it as well as linux being programmed a bit better. I was hoping Mac OS X was the same way, and some people say it is, but I suppose we'll see.

If Microsoft doesn't secure its OS, I do plan on exploring other avenues, even if it means installing Linux or BSD on my iBook or whatever laptop I happen to have at the time.

I guess one thing we can do is try and join forces and make people more security aware or at least help friends and family and co-workers, etc., in securing their computers.

Well, yesterday Apple released a bunch of security updates for the Mac OS X. Some were critical. You want to secure your iBook, get the updates pronto!

As for the Mac OS X, it is based on BSD and NextStep. The main reason the Mac seems more secure is that it hasn't been a target since the early 1990's. That is changing, largely due to the "Mac is more secure" marketing and word of mouth. The Mac users are just begging to have a big target painted on their systems.

Here are some questions to put to your Mac using friends and family: Do you have an anti-virus on your iBook, or did you believe the BS from the Mac Store sales droid? Is the firewall up? Do you use iChat? Were you aware that one of the main, critical vulnerabilities currently on the Mac is in iChat? Have you been updating your Mac OS X regularly, or checking that it is being done?

+++++++++++
Oh, yeah, normally, when the dates are blinking, that means this is a dead thread. It is considered bad form to bring up a dead thread.
+++++++++++

Ok, thanks for the info. I do all of that already. I'll avoid posting to dead threads in the future. Thanks!