LITTLEBLACKDOG.COM

i'm sure you all have seen this story:
http://www.macworld.co.uk/news/top_news_item.cfm?NewsID=7980

all i got to say is what kind of crack were they smoking? was it the DC breed or some ubber crack?

i've been playing w/ OS X server 10.3 for a few days now and although the eyecandy is nice.. but i really would not call it the most secure server..

What are your all's opinions? i'll prepare a list of mine tomarrow when i got some more time..

Guide Dog Joined: 08 Nov 2003 Posts: 8377 Location: MN

nothing is secure until you make it that way. the reason linux is so "secure" is cause it isn't for n00bs (/me points at nutbombs)

if your using linux and your a n00b your going to turn it in to a paper weight (let's just face facts)

if your using windows and your a novice your going to be able to set up a horribly insecure system! but now that every one knows how to patch windows (right) cause it is on the news every other freakin' day, windows holes grow smaller (and when there is one people fill it with viruses.)

Mac OS X may just come most secure, or it might just have the smallest number of attacks cause no one uses it for servers? I can get the actual report (they want me to subscribe...)

so here is my question How many mac SERVERS are there out there? I wouldn't use a mac for a sever any quicker then I'd use command line linux for a desktop machine (which is quicker then most people but not that quick...)

Posted: Mon Feb 23, 2004 6:24 pm Post subject:

in general i've never had a problem with security on any of my personal computers. i do like the fact that OS X comes with no ports open by default. but AFAIK any vulnerability in ssh, which i turned on immediately, is going to effect my laptop the same way it effects any other linux, BSD, or whatever box with the same vulenrability.

i honestly don't know if it makes a difference, but i think the odd combination of bits and pieces that make up OS X would help in security. things that effect the BSD kernel wouldn't effect OS X, "arbitrary code" compiled for x86 wouldn't effect OS X. with this extra level of abstraction, if BSD was second on the list, i think i would put OS X on the top. but then again, i'm no security expert and am talking from my little knowledge on the subject.

Posted: Mon Feb 23, 2004 6:32 pm Post subject:

anglachel wrote:
nothing is secure until you make it that way. the reason linux is so "secure" is cause it isn't for n00bs (/me points at nutbombs)

i'd think no open ports on fresh install, as opposed to window's 5, makes it inherently more secure. linux depends on the distro, so that's up in the air.

anglachel wrote:
Mac OS X may just come most secure, or it might just have the smallest number of attacks cause no one uses it for servers?

i'd say a lot from column A, a little from column B.

anglachel wrote:
I wouldn't use a mac for a sever any quicker then I'd use command line linux for a desktop machine (which is quicker then most people but not that quick...)

i'd get an xserve in a second, they are seeeexxxxxy! anything good enough for the world's third fastest super computer is good enough for me! CLI linux, no, GUI-fied linux, oh yeah!

Posted: Mon Feb 23, 2004 8:02 pm Post subject:

From LWD Front page:

Quote:
Linux servers 'attacked more often'
Posted on Saturday, February 21 @ 10:44:23 PST by Paws

An analysis of hacker attacks on online servers in January by UK-based security consultancy mi2g found that Linux servers were the most frequently hit, accounting for 13,654 successful attacks, or 80 percent of the survey total. Windows came in a distant second with 2,005 attacks.

According to the study, the most secure OS turned out to be BSD (Berkley Software Distribution) and Mac OS X.

I don't know how many attacks I've had on my 2 OS X servers but then none have been successful. Of course it sits behind the school's firewall as well as it's own and I won't run services I don't need.

Posted: Mon Feb 23, 2004 8:17 pm Post subject:

I forget which version of MacOS, but it was definitely pre OSX: the U.S. military at one time in the past used MacOS servers. Why? Absolutely no way to access the system REMOTELY. Remote administration wasn't so popular back then, they just assumed you always sat in front of the computer.

It has also been said that the PowerPC architecture is more secure by design because it has buffer overflow protection at the *hardware* level to ease the weakness of software. AMD 64-bit CPUs claim to also have similar anti buffer-overflow features.

Posted: Tue Feb 24, 2004 6:04 am Post subject:

Just from playing around my observations.. now like any OS work can make it a secure beast.. but i'm also going to be taking into account that Mac's way is their GUI tools..

Blackhole system controls are disabled

Nice atempt on a IPFW gui interface but they left out 1 thing.. the ability to specify the types if incomming/outgoing packets... you can do it manually but still. No blocking no reserved class subnets by default plus their firewall rules they put upon you are weak and lacking..

I see a tiny implementation of UNIX system controls.. but where's the conf to get them to goto your settings on a reboot

Now i will give them credit twords the fact that most GUI tools i've used end up borking configuration files. (ie. webmin...etc...). This beast does not seem to do that..

No implementations of systrace policy's

Those are just a couple thoughts.. A verry nice start at a Server OS but not quite there yet.. Personally i feel they rushed the release of OS X, and should have waited a year or 2. But with how apple was doing at the time i dont think that could happen.. So secure yes.. Most secure no..

Moderator Joined: 26 May 2001 Posts: 8155 Location: Borneo

Lycander wrote:
I forget which version of MacOS, but it was definitely pre OSX: the U.S. military at one time in the past used MacOS servers. Why? Absolutely no way to access the system REMOTELY. Remote administration wasn't so popular back then, they just assumed you always sat in front of the computer.

It has also been said that the PowerPC architecture is more secure by design because it has buffer overflow protection at the *hardware* level to ease the weakness of software. AMD 64-bit CPUs claim to also have similar anti buffer-overflow features.

x86 has it too but nobody uses it. And the protection that PowerPC gives is not that great because IIRC OpenBSD doesn't use it while they do on other platforms

Posted: Tue Feb 24, 2004 8:22 am Post subject:

csign, do you have links or something where we can read up on that? I'd be interested to know more.

Moderator Joined: 26 May 2001 Posts: 8155 Location: Borneo

http://kerneltrap.org/node/view/573

Posted: Tue Feb 24, 2004 8:52 am Post subject:

csign wrote:
http://kerneltrap.org/node/view/573

Thanks, good read... even though I understood about 33% of it Embarassed

Moderator Joined: 26 May 2001 Posts: 8155 Location: Borneo

So you have a 50% advantage upon me

Posted: Tue Feb 24, 2004 9:36 am Post subject:

Mostly talking about new methods their using to prevent buffer overflows.. stack smashing or propolice has actually been around for awhile as a patch you can put in your gcc sources..

basically it's allowing to prevent the attacks of the type buffer overflow consisting in exceeding a static buffer memory to write an original code carried out with the rights of the program on which this buffer depends.

good read though.. i understood a little of it.. and thats only because i'm used to the userland changes in OpenBSD 3.4 and the newely adopted ELF system.

But systrace is still where the fun is at...
http://niels.xtdnet.nl/systrace/
http://www.onlamp.com/pub/a/bsd/2003/01/30/Big_Scary_Daemons.html

but they are working on it for os x