Mac Security: New: Mac OS X Security Configuration Guides

Discussion in 'Apple' started by Derek Currie, Mar 21, 2007.

  1. Derek Currie

    Derek Currie Guest

    Come and get them!

    Apple and the NSA (National Security Agency) of the USA have
    collaborated on two Mac OS X Security Configuration Guides. They
    are dated 2/15/2007. One is for Mac OS X Server 10.4 Tiger and
    the other is for the client version of Mac OS X 10.4 Tiger.

    You can obtain both documents in PDF format at:

    <http://www.apple.com/server/documentation/>


    Ars Technica did a quick review of the document:

    Apple posts NSA-approved Tiger security configuration guides
    By Iljitsch van Beijnum | Published: March 20, 2007 - 02:48PM CT

    <http://arstechnica.com/journals/apple.ars/2007/03/20/apple-posts-
    nsa-approved-tiger-security-configuration-guides>

    To quote Beijnum:

    Share and Enjoy!

    :-Derek

    --
    Fortune Magazine 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975.]
     
    Derek Currie, Mar 21, 2007
    #1
    1. Advertisements

  2. On Wed, 21 Mar 2007 15:30:33 -0500, Derek Currie wrote
    (in article
    <-
    state.edu>):
    Yes, by all means make sure you set up your systems in a
    consistent way that the NSA already knows how to get into.
    Great plan.
     
    Lefty Bigfoot, Mar 21, 2007
    #2
    1. Advertisements

  3. Derek Currie

    Tom Stiller Guest

    Security which depends on obscurity is not very good security.
     
    Tom Stiller, Mar 21, 2007
    #3
  4. Derek Currie

    Maverick Guest

    All it says is to remove most of the applications.
    How will they gain access when you remove your apps?
     
    Maverick, Mar 21, 2007
    #4
  5. Derek Currie

    Maverick Guest

    What obscurity?
     
    Maverick, Mar 21, 2007
    #5
  6. Yes, by all means make sure that you leave your systems wide
    open and unsecured so that the Skript Kiddies and
    Kindergarden Krackers have plenty to keep them occupied.

    That way they'll leave the rest of us alone.
     
    Claude V. Lucas, Mar 21, 2007
    #6
  7. Derek Currie

    Derek Currie Guest

    Non sequitur? Huh? What's obscure? I hope you aren't implying the
    dopey old myth about Mac's lower market share being the reason no
    one has ever written a malicious piece of malware for Mac OS X.
    I've killed that theory over and over again. To summarize: There
    are over 49x more pieces of malware PER WINDOWS PC than there are
    for Mac OS X machines. That most definitely blows the 'obscurity'
    myth out of the water.

    What is the real story with why Windows has 49x more malware per
    machine? I've done my best to study this and solicited ideas from
    others. More ideas are welcome. Here is what I believe so far:

    1) Windows users hate their OS to a substantial extent. Out of
    their lack of respect they clobber the OS as often as possible.

    2) Microsoft are such incompetent coders that they have left
    Windows full of plentiful and huge security holes for ages. If
    the door is open, walk on in! Clobber away!

    3) In terms of time, there has been a security hacking community
    for Windows a lot longer than there has been for Mac OS X. (I am
    ignoring the fact that Mac OS X is UNIX and is subject to that
    particularly hacking community). This is because older Mac OS up
    through 9.2.2 provided no CLI (character line interface) with
    which to break in. You either knew the ID and password for a
    machine or you didn't. It was that simple. The only malware that
    snuck on older Macs was brought in by the user themselves by
    accident.

    4) Mac OS X really is the single most secure GUI operating system
    yet devised here in our Stone Age of Computing. Obviously it is
    NOT NOT NOT perfect. But no method of 'pwning' (gamer blether for
    'owning') the Mac has ever been demonstrated. Instead loads of
    buffer overruns have been demonstrated, proving that programming
    practices today for ALL operating systems still suck out loud.

    5) Rather than hating Mac OS X, its users actually like it and
    value it. Instead of writing malicious code to destroy it or
    create botnets, its hackers write demonstration malware, or
    'proof-of-concept' code to elbow Apple into cleaning up a known
    vulnerability. The entire attitude is 180ยบ from that of Windows
    hackers. The Mac hackers want to IMPROVE Mac OS X. That attitude
    in the Windows hacking community is very rare.


    Further thought are welcome! Just don't quote the baseless and
    idiotic mythology that even the likes of Bill Gates spews at Mac
    users. Use your brain instead. Thank you.

    Share and Enjoy!

    :-Derek

    --
    Fortune Magazine 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975.]
     
    Derek Currie, Mar 21, 2007
    #7
  8. Derek Currie

    Derek Currie Guest

    Ever cynical Lefty. Not that I blame you. I'm just not sure why
    you don't offer an alternative. There are lots of them. A few
    examples:

    GnuPG = impossible-to-crack encryption for everything critical on
    your Mac and everything you share with others. I love it. It's
    FREE. It works.

    WPA encryption for Wifi/Airport = impossible-to-crack encryption
    for everything you send over the airwaves. It's built into Mac OS
    X.

    SSL = impossible-to-crack encryption of everything you send over
    the Internet. It's built into Mac OS X.

    And need I mention FileVault? FireWalls? NAT routers?
    LittleSnitch? Paranoid Android? ClamXav?

    Anyone serious about keeping EVERYONE out of their Mac has an
    arsenal of tools and methods at their disposal. Bush League / FBI
    / NSA / whoever's spying be damned! Privacy lives on. It can't be
    stopped. Let freedom ring, and so on.

    :-Derek

    --
    Fortune Magazine 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975.]
     
    Derek Currie, Mar 21, 2007
    #8
  9. I never said it was.
     
    Lefty Bigfoot, Mar 21, 2007
    #9
  10. On Wed, 21 Mar 2007 16:29:40 -0500, Derek Currie wrote
    (in article
    <-
    state.edu>):
    It's called pragmatism.
    I was offered no incentive to do so.

    There are lots of them. A few
    It's not impossible.
    I do use this, and I have recommended it quite vocally here in
    the past, once quite recently as I recall.
    It's not impossible.
     
    Lefty Bigfoot, Mar 21, 2007
    #10
  11. Derek Currie

    Tom Stiller Guest

    In an earlier post "Lefty" said:
    "Yes, by all means make sure you set up your systems in a
    consistent way that the NSA already knows how to get into.
    Great plan." implying that knowledge of how the security was set up
    somehow weakened that security. I simply pointed out that if your
    security system, whatever it is, depends upon no-one knowing how it is
    established, does not make it a secure system.
     
    Tom Stiller, Mar 21, 2007
    #11
  12. Derek Currie

    Tim McNamara Guest

    No, it doesn't. Arguably it reinforces the myth- at least as you are
    presenting it here. Your claim that "no one has ever written a
    malicious piece of software for Mac OS X" is also not quite accurate.
    Perhaps you missed MOAB.
    The vast majority of Windows users- probably over 99.9%- wouldn't have a
    clue where to begin. And FWIW I hear very few people in the world
    telling me that they hate Windows. Most people barely notice Windows as
    far as I can tell. It's just part of the appliance on their desk that
    they call "computer." They don't think about the OS much if at all.
    Many of the things left open were done to make application
    interoperability easier, knowing that it created security holes. But it
    has created vulnerabilities all over the place, compounded by the
    ineptitude of the general population in terms of practicing "safer
    computer."
    Or ineptitude. Mac users are no more competent, on average, in sticking
    to safe practices. A CLI is not necessary for planting malware, of
    course, and Macs for the longest time had no IDs or passwords- they were
    wide open to anyone sitting in front of them at all times.
     
    Tim McNamara, Mar 21, 2007
    #12
  13. Derek Currie

    Tim McNamara Guest

    Nothing is impossible to crack.
    Nothing is impossible to crack.
    Nothing is impossible to crack.
    Helpful. But nothing is impossible to crack.
    Everybody who is serious about security will educate themselves,
    understand that they can better their odds, and understand that nothing
    is impossible to crack.
     
    Tim McNamara, Mar 21, 2007
    #13
  14. Derek Currie

    Dr. zara Guest

    Now you have an issue with your government? What happened, Carlos?
     
    Dr. zara, Mar 22, 2007
    #14
  15. Derek Currie

    Dr. zara Guest

    PS: the guys a dick - If Jobs wanted a BJ he would drop to his knees in a
    heartbeat.
     
    Dr. zara, Mar 22, 2007
    #15
  16. Derek Currie

    Ian Gregory Guest

    Who is Carlos?

    "...because I hope you know this, I think you do...all governments
    are lying cocksuckers."
    Bill Hicks, Relentless
     
    Ian Gregory, Mar 22, 2007
    #16
  17. Derek Currie

    Dr. zara Guest

    You will have to ask Lefty. He knows,--- that I know.
     
    Dr. zara, Mar 22, 2007
    #17
  18. Derek Currie

    Derek Currie Guest

    I agree about education and understanding the best approaches
    toward ideal security.

    But regarding your phrase 'Nothing is impossible to crack':
    Incorrect dude! There are plenty of encryption methods that are
    indeed easy to crack. I have read about being able to crack WEP
    in 4 minutes. But NEVER has anyone cracked WPA. NEVER has anyone
    cracked GnuPG. Etc.

    Certainly we human beings are incredibly fallible and able to
    screw things up at a moment's notice. Due to our faulty
    perception and analysis abilities we should most certainly avoid
    the expression of absolutes.

    But from a strictly scientific point of view there is no way to
    crack the best of the current encryption methods available to Mac
    users today. I've heard estimates of the time required to crack
    GnuPG, for example, that reach the predicted time of the end of
    the universe (using current computing technology).

    Please note that I am excluding wetware error and torture. I am
    only talking about the encryption technology.

    That having been said, should one be open to the possibility that
    vulnerabilities in an encryption method could be found in the
    future? Yes! Example: Apple just patched three vulnerabilities in
    their implementation of SSL. Oops. You win that round! Then
    again, it wasn't the encryption that was to blame. It was the
    technology that wrapped around it.

    :-D

    --
    Fortune Magazine 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975.]
     
    Derek Currie, Mar 22, 2007
    #18
  19. Derek Currie

    Derek Currie Guest

    Oh Tim. You have to try harder:

    Wrongo buddy! MOAB never provided anything but zero-day exploit
    code to demonstrate particular vulnerabilities. NEVER, including
    during MOAB, has any malicious piece of malware been written for
    Mac OS X. Exploit code has NOTHING to do with malware until such
    time as someone writes it into a program, be it a worm, virus,
    Trojan, spyware, root kit, etc., that does something malicious to
    the Mac.

    Instead, all that has ever been written for Mac OS X is malware
    that demonstrated an exploit, aka a 'proof of concept'. This type
    of malware can, in fact, be considered 'anti-malicious' because
    it is used for the purpose of bringing awareness to a
    vulnerability so that it can be patched, preventing an actual
    malicious piece of malware from being able to do damage.

    Thanks for your feedback regarding the next parts of my post. You
    made some good points.

    But I wanted to reply to this issue. Warning, it triggered me
    into rant mode:
    Your reply demonstrates your having bought into the Microsoft
    attitude, which I consider to be dead stoopid and user-hostile.

    A) No programmer with adequate intelligence creates security
    holes. How DARE you justify Microsoft creating security holes?!
    WTF?!?!

    B) And then you blame the USERS? You blame user 'ineptitude'?!
    Please, DON'T EVER PROGRAM. I don't want to touch your product.
    This is what I call the 'BASTARD' attitude. Lose it. It is soooo
    Microsoft. :p

    BUT! I will temper my rant by saying that here in the Stone Age
    of Computing we are all stuck with computers that have just about
    zero intelligence and are remarkably poor at protecting the user
    from themselves. Ideally a human being should be able to act with
    the best of intentions and expect that other humans in the world
    are a nice and friendly as they are. The computer should help
    them live in this 'best of all possible worlds' (to quote
    Voltaire).

    Sadly, it's not happening any time soon. The near future promises
    that computers will remain a PITA, no matter what platform you
    use. And, indeed every computer user has to be very paranoid and
    deliberate in their behavior so as not to be f*cked over by the
    psychopaths among us. Just don't blame the user for the faults of
    other people and faults in computer technology. There is NOTHING
    wrong with being a kind and trusting human being. I much prefer
    them to the alternatives.


    :-Derek

    --
    Fortune Magazine 11-29-05: What's your computer setup today?
    Frederick Brooks: I happily use a Macintosh. It's not been
    equalled for ease of use, and I want my computer to be a tool,
    not a challenge.
    <http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
    [Frederick Brooks is the author of 'The Mythical Man Month'.
    He spearheaded the movement to modernize computer software
    engineering in 1975.]
     
    Derek Currie, Mar 22, 2007
    #19
  20. Derek Currie

    PC Guy Guest

    What is the purpose for these two documents? I thought OS X was so super
    secure that nothing need be done to secure it. At least that's what I've
    read from the "experts" in this forum. Stupid Apple and NSA...why didn't
    they come here and ask all the experts before wasting time on these
    documents?
     
    PC Guy, Mar 22, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.