SuperSite Blog

Well I was waiting for the Nabisco browser review but this will do , no Safari for me!!!  Maybe I should subscribe to consumer reports for Windows IT reviews?

Man three Apple posts in a row.  Funny my browser says Winsupersite????

"Man three Apple posts in a row.  Funny my browser says Winsupersite????"

There you go again! I read this yesterday. Consumer Reports mentioned 7 myths about the internet, one of them being, "Macs keep me safe" or something of that sort.

Oh.And Safari security is something that's very relevant to Windows user.

Last time I checked Firefox runs on Macs...

"Last time I checked Firefox runs on Macs..."

Yes, and that's what Consumer Reports recommends on Macs.

Nevertheless, these are interesting observations in lieu of the numerous discussions we had on the IT Pro site about Mac/PC security.

Notice the last sentence:

"Fox also noted that users running Windows Vista reported significantly fewer instances of spyware or other malware infections than did people relying on Windows XP."

I think it's interesting. Ed Bott and Paul Thurrott have always touted Vista security but we've had widely quoted studies from shady sources which attempted to debunk claims of Vista being more secure.

Oh, and finally, and slightly O/T, Ed Bott answers questions about the x64 version of Vista: blogs.zdnet.com/Bott

Paul, just rename your blog.  The Apple coverage is extreme.  You should be required to limit your coverage to 3.5% of posts as per your obsession with worldwide share.

Or 9% if we are using whatever math got us that number...

I think at this point the Win in WinSuperSite stands for the Win, not Windows. When I named my blog I was vague with the name because I didn't want to be restricted to a single topic. Paul would do well to learn from me now. :D

@JohnPapola

Oh come on John! Who would read this stuff otherwise? Just Mr Galos and the Pingbacks :)

@jp - "You should be required to limit your coverage to 3.5% of posts as per your obsession with worldwide share."

I realize that was a tongue in cheek remark, but this is the type response that Paul likes to satirize by using the iCabal term. Be real...Paul is allowed to discuss what he wants on HIS BLOG. Who do you suggest "requires" and polices limiting what type of coverage he posts?

--tayme

Here's the count on "the super site for windows" blog:

15 posts on page 1.

3 purely mac posts

1 Posts in theory about Windows but really just a Mac criticism

2  MobileMe posts

2 iPhone posts

So 53.33% of the "Supersite for Windows" blog is about Apple products in some way.

26.67% Are directly about the mac, mac prices or mac marketshare.

Paul can post what he wants... but don't tell mac users to "get lost! It's a windows site" with this content spread.  And seriously, you're telling me you can't see the hypocrisy in Paul's obsession with 3.5% worldwide share yet devoting so much personal energy to blogging about Apple?  Give me a break.

Have a great day!

What IS interesting is that the discussion has so quickly been moved to be a metadiscussion about Paul's blog itself rather than Mac security or even Safari security.

@jp - Compare that to the amount of time and money spent by Apple and Steve Jobs talking about Microsoft in keynotes and TV adverts. The only adverts that they actually talk about their own product are the iPhone ones.

Oh, and I have not told anybody to "get lost"...Get a grip, John...I think your wife has a point about you and these blog sites.

--tayme

"Paul can post what he wants... but don't tell mac users to "get lost!"

Like I said earlier on another thread. If Mac users want to read Paul's blog, it's up to them. But please stop complaining. I don't see anything wrong with this post. The article was published in a highly respected publication. It's hard for you to attack the credibility of the source, so what do you do instead? You shoot the messenger.

John, I think that you are missing the point here, so I'm gonna help you out.

1.  Safari is available on the PC, even if onle one or two people use it, and so if there is a problem with its security, we should know.

2.  The MAJORITY of iPhone users are also... wait for it... WINDOWS users and must sync their device with... guess what... WINDOWS.  Because this is the SUPER Site for Windows, Paul must go beyond just the OS and cover anything that effects the Windows user.

3.  MobileMe is no longer .Mac and is no longer a product purely used by Mac users.  Because the iPhone is so popular and because people would love to use its pseudo push capabilities, many will get MobileMe.  Because the iPhone is a device used mostly by Windows users and because MoblieMe is suppose to work on both OSes, it makes sense that it would be covered here.

4.  Coverage of Apples market share makes sense here.  Apple is MS's biggest competitor, and it is important to keep an eye on the competition, eve when its market share is as small as 5 or 6 percent.  As a sports reference, a blog covering the Red Sox would inevitably talk about the Yankees.

So while 53% have to do with Apple products in some way, and 26% are directly about Apple, 100% of them should be here.  Some way or another, this stuff affects the Windows user.  Maybe it's not as direct as you and the iCabal would like, but it is stuff that should be talked about and I see no reason why it shouldn't be here.

Hope this helps, but I doubt it.

Tristan H.

@Tayme,

You're right. Have a blast bashing Safari guys.  I'm outta here.

Heh.  I wonder what Apple is going to do about Safari on the iPhone then.

Maybe Jobs will release another email-turned-PR-campaign saying that it's not up to snuff....

"Have a blast bashing Safari guys.. "

Now you're just being childish. Somehow I get the feeling that you cannot bear the thought of people saying something negative about Apple's products. If you have a problem with someone, it should be with the person who wrote the article in Consumer Reports.

Paypal and now a publication? Hold on....let me go to the Safari website.

"The Worlds Best Browser"

Yup, it still says it.

ROIFLMAO.

....Opera Mobile makes the Touch Diamond look more and more like a better smartphone....  ;)

@Tristan or anyone else

" Apple is MS's biggest competitor,"

Is that true? Given MSFT's global footprint and dominating marketshare I would think Oracle or Sun would fit that bill. Not to mention Google and FOSS.

Has Apple completely retracted the iPhone SDK 1.0 (ie. Webkit Webapps Edition) yet?

Sorry, but this is just too funny!

The iPhone 3G, MobileMe, Safari, and Apple's entire cloud-computing vision of "having the internet in your pocket" will be remembered as the Newton 2.0 - Apple's not-so-graceful second descent.

(That's a pun, if you didn't get it already)

@Weedmonk...

That is a good point.  Oracle or Sun definitely fit that bill and Google is a force to be reckoned with for sure.  However, MS's major product, at least as I see it is Windows, an OS, and in this respect Apple is its biggest competitor.  When the average user goes to buy a new PC, their thought is "Windows or OS X?"  This is what I was referring too.

None of that withstanding... even if Apple is MS's BIGGEST competitor, they are surly high up on the list.  To use the sports analogy again... A blog covering the Red Sox would inevitably talk about the Red Sox AND Rays.

Weedmonk

I suspect they meant this as a shorthand for, "Apple is Microsoft's biggest competitor in desktop consumer operating systems" and not overall.

(And that's ignoring that Microsoft's biggest competitor in that field is older copies of Windows and bootleg copies of Windows both of which vastly overshadow Apple's share)

Sorry, meant to say

... even if Apple isn't MS's BIGGEST competitor...

Just for the record... this safari complaint is obviously legit and safari on the iPhone has inherent phishing danger with it's small URL bar.

Apple needs to get it's act together and work to be at least as good as Microsoft now is on security.  They need to use every tool in the book to keep the platform as safe an attack-free as it's been.  The false sense of security in the non-techie mac community is a dangerous and untenable situation.  Phishing attacks are an especially dangerous bit of social engineering.

Just for the record ;)  God bless.

"Just for the record... this safari complaint is obviously legit and safari on the iPhone has inherent phishing danger with it's small URL bar.

Apple needs to get it's act together and work to be at least as good as Microsoft now is on security.  They need to use every tool in the book to keep the platform as safe an attack-free as it's been.  The false sense of security in the non-techie mac community is a dangerous and untenable situation.  Phishing attacks are an especially dangerous bit of social engineering.

Oh.. and Mike... yes that is exactly what I meant

Just for the record ;)  God bless."

John, perhaps your best and most logical post... Good Job!

tristanh

You're making the mistake of thinking of Microsoft as a company that thinks of corporate competitors which doesn't work when the competitor for one product is a highly valued partner for another.

For the most part, each product unit thinks about their own competitors. For example, the SQL Server team thinks a lot about Oracle but if you asked them about Apple they'd probably go, "Who? Oh, yeah, the iPod guys." On the other hand, the Zune team probably thinks about Apple all the time but couldn't tell you what version of Oracle is on the market.

"What IS interesting is that the discussion has so quickly been moved to be a metadiscussion about Paul's blog itself rather than Mac security or even Safari security"

Isn't it? Surely the iCabal would be posting like mad, denying any possible security problems with Safari?

John,

Nice post.

Apple has gotten sloppy about security (details of which are probably beyond the scope of this board) but I'd add that the Mac community need to start informing themselves about security. I stll see them acting as though the lack of viruses on Macs is somehow due to an inherently secure OS that's immune to attack and will be forever. What they think the security patches are fixing is a mystery.

I have found that the best way to get shouted down in any Mac user forum is to question that almost religious belief that since Macs haven't been targeted for viruses therefore OS X is somehow mystically secure. There's an attitude of willful ignorance in not thinking about security that's, frankly, a ticking bomb.

I suspect the first time the bad guys (and these are not 17 year olds in their parents basements anymore but serious organized crime groups) decide to target OS X, they'll get 90%+ infection and the shock to the zeitgeist of the Mac community will be horrible.

(In short, since you spend time with Mac people, please try to get them to start waking up)

Shall we be looking forward to an MoSB?

@Mike

I see what you are saying... and it is a good point and not one I will argue.  I will say this however, regardless of how MS views Apple, Apple is important in the MS world.  Whether we are talking about how the iPod effects the Zune or about OS X and Windows, or whatever, there is a connection there.  My point is that Apple is relevant to MS and therefore should be talked about on a site such as this.

Tristan H.

"The article was published in a highly respected publication." yep if your reviewing blenders or the reliability of a Honda Civic.

I like consumer reports but its the last place I would look for an IT related review.

I agree that Safari does not have anti-phising built into it but neither IE until version 7.  Apple needs to step up and add that.

Until OS X is exploited as in real attacks the sense of security is real.  

There might holes in the OS, but all have them.  Apple might be slower to fix them which is not good, but the fact remains their are not many if ANY recorded exploits (as in successful attacks).  On the other hand Windows is hacked daily.  

Now vast majority of those hacked windows boxes are consumers, plugged right into a broadband modem, with no updates or protection, and Windows is a big fat target with its market share.

tristanh

I wasn't saying they're irrelevant. But that's a long, long way from Microsoft's Biggest Competitor.

Still, the bad guys won't find the Mac worth hacking as the payoff is considerably lower due to market share. I prefer FF on the Mac, but still prefer IE on Windows. Unfortunately, the PACS workstations MUST use IE 6 and it crashes numerous times all day. wish we could upgrade to IE 7 or at least have FF. I am going to see if IT will allow FF installed as IE 7 has a compatibility problem with the PACS suite, but FF does not. I would bet that GE won't allow it, but you won't get it if you don't ask.

OK, we've moved into the dangerous "Macs are immune" meme.

Let me say this as clearly as I can.

The choice of hardware or operating system has NO (as in zero, null, none, naught) relevance to phishing attacks.

Windows Vista, Windows XP, Mac OS X, Linux, Unix, Windows Mobile, iPhone, iPod Touch, some browser you wrote yourself to run on a Commodore Amiga, it doesn't matter.

If you go to a phishing website and either use a browser without a phishing filter or ignore the warning you are vulnerable. It is a social attack and, like any con game, is based on human factors and not the computer.

How does IE 7 compare to FF 3 in the anti-phishing realm?

How does IE 7 compare to FF 3 in the anti-phishing realm?

Mike, I could not agree more, and that is why this review is pointless IMHO.

Days of Virus attacks are gone.  Lets be honest there are no more slammers anymore.  Everyone, corporations, ISP's, home users have wrapped themselves in layer upon layer of protections, and the symantecs of the world could not be happier.  Enough hot shot kiddie hackers in Germany have been sent to PRISON, with the help of MS and others that that kind of activity is all but gone.

Today its flat out hacking for profit.  Social hacking mostly, to get at your identity info to use it.  Or a combination of social/PC hacking as in your get an email that looks legit and you click on a link on a XP box running as a Admin account and it downloads whatever it wants to your PC and your done.  Your PC runs fine, but either they have ripped your info or your PC is being used as a zombie to do their bidding and you dont know it.

IE and FF have phising protection but its pretty much worthless for joe user that clicks right through it.  It does nothing for email that you open and set off something.

So like I said, consumer reports, while their heart is in the right place is the last place people need to get IT advice from.  Now if you want a new Washer and Dryer.....then by all means get a copy of consumer reports.

DRWAM

If you think the Windows/Mac religion wars are bad, comparing browsers is even worse.

From what I know...

IE 7 was better than FF2 which was criticized for a weak anti-phishing filter.

FF3 has improved over FF2 but I don't know whether it has caught up with or surpassed IE7.

IE8 improves the anti-Phishing tech that was in IE7 but the current tech preview is not ready for general use and is there so developers can start getting their sites ready. The real beta of IE8 is expected out fairly soon but, again, will be a beta and not for production use.

Let me add to my last post, its not just XP.  It could happen on a OS X, if its a info only gathering attack that you went to a site via an email you got.  Its not even your computer at all, its what you do when you type in a bank account password or whatever.

Now for those sites that download crap to your computer after you go to them like a fool, then OS X today is not a target as far as most people know.  XP is, Vista is way better with UAC at stopping the junk that comes down.

Snake

It is not only naieve, it's dangerously naieve to think that the days of viruses are over.

We've moved from attacks being something done by amateurs to gain some street cred and moved to attacks coming from organized crime and national intellegence agencies.

Zero-day attacks are more common not less. Yes, we're seeing less success from script kiddies running downloaded botkits but we're seeing more attacks that are very sophisticated.

Thanks Mike. Even my two 7 yr olds know  that IE is for Internet Explorer, and that's what they use to play in Webkinz world and Nick.com, but I probably should not have mentioned that "W" word as we may get tons of pings again. I guess this will test it, and I may get banned!

PS, our favorite English roses are Golden Celebration and favorite orange roses are Livin' Easy and Remember Me. They all grow well and Livin Easy reblooms a lot and is very shade tolerant. Golden celebration grows really fast and tall. David Austin really knows what he's doing.

"FF3 has improved over FF2 but I don't know whether it has caught up with or surpassed IE7."

In XP - yes.  In Vista - no.

It has nothing to do with the phishing filter though.

@snake:

It's not just about social engineering or viruses.  Corporate security companies pan OS X's security for the workplace once the investigators pass through the superfluous fog of "impenetration" that Apple creates in their marketing for the OS.  The source code is open, so as a buddy of mine that works for a major enterprise IT security firm likes to say:  "it's like giving the hijackers the blueprints for the WTC with a big arrow that says "CRASH HERE"."  

Harsh, but so very true.

Snake

You said "... Safari does not have anti-phising built into it but neither IE until version 7."

To put this in perspective.

2004 - Phishing becomes a significant problem

2005 - Safari 2 released - no anti-phishing tech

2006 - Firefox 2 release - Google anti-phishing plug-in optional

2006 - IE7 released with native anti-phishing filter.

2007 - Firefox adds native anti-phishing filter

2007 - Safari 3 released - no anti-phishing tech

2008 - Firefox 3 release - improved anti-phishing filter

OT - News (but there's no on-topic place for it so I'm putting it in the newest thread)

SQL Server 2008 released today. SQL Server 2008 Express and SQL Server Compact editions are available for free download today at www.microsoft.com/sqlserver.

We now return you to phishing.

tristanh

A great example of one group's competitor being another group's partner in this industry is one where Microsoft played both roles with different groups at IBM.

The new top performance on the Transaction Processing Council's TPC-E benchmark was with Microsoft SQL Server 2008 running on a 16 processor IBM x3950 server.

IBM hardware did the benchmark which showed off their server hardware despite another group at IBM making the DB2 database engine.

So IBM's hardware group considers SQL Server a partner while IBM's database software group considers SQL Server a big competitor.

@mike:

I don't see anything to do with SQL 2008 besides RC0....and SQL Compact is embedded in applications, so installing it separately is kind of dumb.

I have seen a huge increase in the number of "Nigerian scam" and phishing emails that I receive lately. Hotmail does a pretty good job of delivering all such emails to my junk mail folder. It does have a few false positives, though. On the other hand, Yahoo!, irrespective of the spam settings is extremely weak when it comes to this. I've clicked on a couple of such sites for the heck of it and neither FF3 nor IE7 warned me. I guess the people who carry out these phishing attacks are getting smarter too.

Waethorn,

I suspect the dowloads may take a while to migrate to the production servers but that's the link that Microsoft gave. (probably why they said "today" rather than "now")

As for Compact, it is typically embedded in apps which is why developers download and install it separately. It's not really a consumer download but not everybody here is just a consumer, there are some devs.

shark

Yes, the bad guys get better and now that they're pros rather than amateurs, getting better all the time is a part of their professional skills. It's why there are updates to the anti-malware local engines and why the online databases that power the phishing filters are pretty constantly updated. Even so, both sides are constantly playing catch-up.

Pingback from  » re: Respected consumer advocacy group recommends against using Safari

"It is not only naieve, it's dangerously naieve to think that the days of viruses are over."

Over in the sense of we are over protected to the point, like you said they have moved onto different ways of attacking.

The big attacks that took down MS customers, many corporate in nature during the early 2000 years where what is considered a true virus sent in a email, via payload.  That kind of attack is nil today because lots of attention was focused on that kind of attack, so much so that today its basically a non-issue since most people are well protected.

Today they lure you in, you actually pull the trigger you self, unknowingly.

"It's why there are updates to the anti-malware local engines and why the online databases that power the phishing filters are pretty constantly updated."

Maybe the easiest way is to flag all "Created on a Mac" sites as phishing sites.

Just kidding, John! Really.

Snake

Ah, that's clearer.

Still, there are a LOT of attacks that still don't require user participation especially on any system where the user runs with an Admin or root level account (like an iPhone or Windows XP or a user given bad advice from a well-meaning but ignorant friend...)

Remember that it doesn't take user intervention to exploit a hole in the OS and every OS has some holes. The key is how fast the vendor gets them fixed and how well the users keep up with their updates.

The recent ISP router issues show just how sophisticated some of the attacks are getting.

I don't think Consumer Reports is a useful source unless I'm looking at automobile  repair frequency. They once recommended single payer health care, an opinion my friend from BC laughed at considering it took him 3 freaking years to get his knee scoped (I waited a week).

Consumers Union is usually full of it, but they may be right about Safari and BMW's.

Whether Consumer Reports is a good, bad or mediocre source really doesn't matter on this issue. There's nothing controversial about their statement. There's no case of "well, they cared about different things than I do" which is the usual objection to their reviews.

Running a browser without a phishing filter is a BAD IDEA. Period. Any source out there (except possibly Apple, Inc.) will agree with that.

I think this report speaks to a lot of people. Consumer Reports is a very respect publication. Many will see this and avoid Safari because of the source. Its one publication which I view several months a year. Most people will see this and consider it golden advice.

However, I'm feel like I have a bone to pick with some of the Mac respondents in here. The Mac owners should be flooding Culpertino's email server with complaints and demanding that Apple get to work fixing security. Apple clearly has work to do on the security side, and a few of the resident Mac guys act like somebody's slapped their mothers. The Mac customers have the both moral and ethical obligation to hold Apple to task. You guys constantly rail on Microsoft about its problems. Turnabout is fair play as far as I am concerned.

Safari, Quicktime, iTunes on Windows, and Mobile Me are all showing an theme of insecure products and services from Apple. Some Mac users are blindly listening to ignorant marketing and not holding Apple accountable. I'm not happy that iTunes on Windows is a whopping 77 MB of hard drive space. Can we say excessive code bloat?

What will it take for the Mac community to wake up? A blaster/sasser like experience to shut down enough machines before the community changes it ways? Many on the Windows side learned a lot from blaster and sasser. I guess thats why Vista users are safer today than their Mac counterparts. Before someone says that doesn't happen anymore, if you were paying attention to the news, the Chinese/ Russian hackers of their respective nations are alive and hacking. What if they decide to exploit that carpet bomb attack on the Macs. Imagine the next day's headlines...

Example: Chinese hackers carpet bomb all Apple Mac's online. Millions of Macs compromised, Mac websites taken down. Windows OSes immune to attacks.

I hope I never have to wake up to this headline. Imagine what that will do to Apple's stock and to customer confidence? Fiction you say? Never say never. The exploits aren't going to plug themselves.

Perhaps Apple should take a page out of Microsoft's recent history and put Snow Leopard on hold while they fix Safari, Quicktime, iTunes, and Mobile Me. Before my example becomes tomorrows headline.

"Running a browser without a phishing filter is a BAD IDEA. Period"

Clicking on every damn link that it emailed to you is an even worse idea.

At some point it's up to the end user to have some amount of brains no matter what platform you use.

Of course, this is merely a pipe dream. It's a sad fact that Average Joe will see an email that says the Bank lost all their info and they should CLICK HERE NOW TO RE-ENTER IT ALL BEFORE IT'S TOO LATE!!!!

Can you imagine these same people walking into a bank and having the teller say to their face: "I'm sorry we lost all your info. You have no access to your money"?

They'd freak the hell out. Yet there is some mystical quality to the Internet that turns regular Joes and Janes into trusting, drooling idiots.

How to use OpenDNS to provide powerful anti-phishing to Safari and all mac browsers:

www.macworld.com/.../opendnsphish.html

I'm sorry, I'm taking the bait...

"I'm not happy that iTunes on Windows is a whopping 77 MB of hard drive space. Can we say excessive code bloat?"

In a day and age where 500GB hard drives are the norm, 77MB is nothing. Hell, even Vistas 15GB footprint is nothing.

And by the way: most Mac users are taking Apple to task. We use Firefox :)

OpenDNS rocks.  If you get a free account you can tie it in with a free dyndns account and then any traffic coming into your circuit (home broadband) can use the OpenDNS filters that you choose.  Great stuff if you have kids.

Funny... this site formats links in a way that isn't safe.  Notice the "...".  Just an observation.

That links is actually quite safe the way it is displayed, since the full domain name is displayed, which is the first place to look for a phish.

"Clicking on every damn link that it emailed to you is an even worse idea."

That sound all find and dandy, but the phishers are getting better at their games, making pages that are only discernible by the super astute.  I typically look for grammar mistakes, particularly capitalization.  However, asking regular people to do this analysis is just not going to work.  A phishing filter is really a minimum requirement these days.  OpenDNS is great, but asking home users to go through these steps is really asking way too much.

My issue with anti-fishing technology is that it might give a false sense of security, in the same way that anti-virus software can provide a false sense of security.  Since none of these technologies is anywhere near 100% and one could argue even 75%, they may in fact encourage stupid behavior.

That being said, I've run across a total of about a dozen phishing emails in the past year, they ranged in quality from laughable to scary, scary as in they look good enough that had I not been aware of the types of scams people run, and the techniques people use they may have fooled me, fortunately my wife believes everything is scam.  Ironically, my wife found a phishing scam that used the LA Times.  A job ad was placed in the paper that when researched was a classic Nigerian scam, yet the Ad was placed in a reputable paper.  Like I said, SCARY.

All that being said, some are critical of Apple security practices.  Mainly because they don't publicize ANY of them.  Without starting a debate about disclosure I will say that up until now their model is working.  Could it face serious problems in the future sure, but it probably has the expertise and resources to respond appropriately.

For example, from late 2007 to early 2008 Apple was hit with a bunch of vulnerabilities in Quicktime, a program so reviled on these boards many refuse to run it.  Yet, Apple did respond, they added a number of fixes to by February of 08.  While there have been and will continue to be security updates for both iTunes and Quicktime, the active exploitation of Quicktime by hackers has subsided.  They further strengthened Quicktime in June.

www.eweek.com/.../Apple-Adds-AntiHacker-Features-to-QuickTime

So while Mac OS X has not been a target, Quicktime has and Apple did respond, maybe not in the way you would've liked, but they did respond.  

Will Apple add anti phishing features?  Don't know, hope that when they do they're good.

Regards

Joe Dokes

"That sound all find and dandy, but the phishers are getting better at their games, making pages that are only discernible by the super astute."

I think domain highlighting in IE8 should be a very useful when combined with the phishing filter. It's a simple feature that's probably not "cool" enough to make people switch, but might actually help a lot.

@Mackies:

The "Smart car" is considered one of the most dangerous cars to drive in because of poor safety features (very short crumple zones, etc.) and ultra-compactness.  It's essentially a casket on wheels.  However, the usage rate is very low, and you don't hear about many major accident rates with it as a result.  There haven't been any major disasters with it yet, but the time will come when somebody gets into what would be a minor fender-bender in any other vehicle but dies a gruesome, bloody death, making people rethink their decision to own one.  >:P

So when can I expect you to put a downpayment on yours?

....I should also point out that the Smart car has also been called "attractive", "sexy" and "easy to use".

Food for thought.

Waethorn  said:

It's not just about social engineering or viruses.  Corporate security companies pan OS X's security for the workplace once the investigators pass through the superfluous fog of "impenetration" that Apple creates in their marketing for the OS.  The source code is open, so as a buddy of mine that works for a major enterprise IT security firm likes to say:  "it's like giving the hijackers the blueprints for the WTC with a big arrow that says "CRASH HERE"."  

Funny thing is you keep saying this but then offer up no proof other then "My friend says"....

Harsh, but so very true

"Funny thing is you keep saying this but then offer up no proof other then "My friend says"...."

Yeah, Wae's the king of anecdotal evidence. He's regaled us several times with his fascinating stories of malfunctioning Macs in Apple stores, frustrated consumers at Best Buy, and his own customers who straggle into his basement with their non-working Macs and beg him to replace them with a home-built Vista box. I guess that's why he hangs out at Apple stores looking for customers—they make great fodder for his comments.

But back on topic...

I think the CR recommendation makes since. Safari has clearly lagged behind in offering phishing protection, and although one could argue with the efficacy of such "protection", the fact is it's part of what should be considered standard on a modern browser. Better alternatives are available, and they should be seriously considered.

I think everyone reasonable can agree that Apple needs to do more from a communication standpoint.  Those that say it's "impossible" for them don't know the company that well.  Apple's Joe Schor, product manager for Aperture is very directly engaged with the community.  In fact, all of the pro-apps are.  It's a market Apple knows well and has a long relationship with.  They just need to realize that being opaque doesn't always serve them elsewhere.  

Security starts and stops with the user and having a false sense of security is worse than anything.  That's something Apple needs to fight.  They are correct that the Mac's track record on attack is superior.   Superior by a margin far in excess of their marketshare.  It's not like the mac gets 3.5% of all attacks.  It gets almost zero. That's not proportional.  So they have a reasonable case to bring to consumer who have been burned on windows.  It's fair for them to say "we're a safer neighborhood".

They just can't encourage users to leave the doors unlocked.

@joe-dokes - "Could it face serious problems in the future sure, but it probably has the expertise and resources to respond appropriately."

You mean like they did here? www.scmagazineus.com/.../113260

"After waiting since the beginning of July, Apple has put out a patch for the DNS cache poisoning flaw discovered by security researcher Dan Kaminsky.

Cisco, Microsoft, Sun Microsystems and many Linux versions put out a fix for the flaw on July 8, when it was first disclosed. Apple had taken some heat when it did not release its patch then, too.

Andrew Storms, director of security operations for nCircle, said in a blog post that some of the patches for components in Apple's systems are incomplete."

Apple needs to get serious about security and quit assuming that they are invulnerable. As an Apple customer, I have sent an email asking why this took a month longer than any other company and why it is still not fully patched...have any of you?

--tayme

"Funny thing is you keep saying this but then offer up no proof other then "My friend says"...."

You obviously know nothing about security firms (obviously), but there's something called an NDA at most of them.  Flaws and exploits are not discussed openly in public.  Apple follows this example to a tee - in fact, they deny all knowledge of it.

@tayme,

This all happened a year ago with MS

www.itjungle.com/.../two042507-story02.html

In fact in that case some third party company came out with a patch because MS was dragging its feet.  Most people did not go with the 3rd party patch for fear of compatibility problems, and I agree with that.

Apple probably had to do more testing.  Also the # of Bind DNS servers running on OS X, exposed to the internet, its probably so low they could have waited a year and not been hit.  This would only have probably only affected OS X server running DNS in a DMZ that was open to the internet.  Never have even seen this.  Usually its cheap Linux box doing this or an appliance.  Some all Windows shops will use some low powered Windows box, but I have never seen a OS X DNS server.

Waethorn  said:

"Funny thing is you keep saying this but then offer up no proof other then "My friend says"...."

You obviously know nothing about security firms (obviously), but there's something called an NDA at most of them.  Flaws and exploits are not discussed openly in public.  Apple follows this example to a tee - in fact, they deny all knowledge of it.

Yeah and he seems to be perfectly fine with discussing things with you... or at the very least it makes convenient fodder for you lack facts backing it up.

@Snake - Oh, I agree that MS has dragged their feet at times...but recently they have improved security practices greatly. I also know that not too many places use OS X as a DNS Server and that OS X has BIND disabled by default. I was responding to joe-dokes' post, which gave the standard response that would leave one to falsely believe that Apple is "better" at security response than all other OS makers...

--tayme

"Yeah and he seems to be perfectly fine with discussing things with you..."

Considering that it was about a shared client whos two dedicated networks consist of one of Mac's, running OS X Server (Tiger), and the other consisting of Windows Server 2003 R2 (which I'm currently in charge of), and they completely failed a wire-line penetration test on their Mac network, having been successfully had customer information databases stolen, overwritten, and then deleted by an outside source, I'd say that working together with a buddy of mine already in the security industry wasn't disclosing any unnecessary information.  I sure had a laugh about it anyway.

BTW:  The client now does quarterly remote penetration tests through my buddy's company.  So far, the Windows network hasn't been penetrated.  The Mac one failed 4 more tests after the initial incident about a year ago.  Both systems have security updates deployed automatically to client machines too.

@Waethorn do you come up with this stuff your self or do you have some Word Macro that cranks out this fiction?

We cold all post BS about My Vista is fine, My XP never crashes, My Mac has no problems.....BLAH....BLAH...BLAH.....YAWN!

I could find plenty links like this that are pro-Apple based on its security....

www.forbes.com/.../apple-army-hackers-tech-security-cx_ag_1221army.html

And probably the same for Windblows as well.

"do you come up with this stuff your self or do you have some Word Macro that cranks out this fiction?"

You mean like Mossberg's reviews?

Sorry, but no matter how hard you push those fingers in your ears, it's the absolute truth.

@snake and everyone else that's reasonable,

just ignore Waethorn.  At some point, he'll tire of posting his apple-bashing garbage into a vacuum.  Responding just feeds his obsessive need to stroke his ego with self-declared victories in these discussions.

I've turned over a new leaf in this regard.  I'm hoping it will stick.

@johnpapola...

Regarding your comments on Apple doing better with communication, I agree. I believe that Apple should disclose exactly which bug fixes are being applied by updates and patches. If they did that, that would go along way in acknowledging the problems and correcting them.

I also agree with you that users must acknowledge that the false sense of security does begin and end with the user. My own user experience has conditioned me to check updates at least once a week. I update my anti-virus every 2 to 3 days. It was this routine that protected my then XP system when Blaster hit back in 03. I think once people have a update and maintenance routine, computing will be a lot more stable. Then we can argue about other things.

Peace.

@Sub,

Agreed on all fronts.  I think the thing is that OSX did have structural advantages over windows, including the admin password requirement for software installation.

Vista has brought parity, and probably superiority to Windows over OSX... so now it's more about marketshare... though it's hard to deny the dearth of attacks given the visibility of the Mac.  Again, it's not like they are getting 3.5% of viruses and trojan horses and the rest.  So I find that interesting.  The mac's "resurgence" has been in the news for years now, so I'm frankly amazed at the lack of a serious, broad attack.  There's something there that's not easily explained away by "tiny marketshare".

" Again, it's not like they are getting 3.5% of viruses and trojan horses and the rest.  So I find that interesting.  The mac's "resurgence" has been in the news for years now, so I'm frankly amazed at the lack of a serious, broad attack.  There's something there that's not easily explained away by "tiny marketshare"."

Read the book 'The Tipping Point' by Malcolm Gladwell.

"I believe that Apple should disclose exactly which bug fixes are being applied by updates and patches. If they did that, that would go along way in acknowledging the problems and correcting them."

I second that.  For a company that relies heavily on open-source software at the core (and for john's claim that they are so "open"), they sure like to keep their secrets hidden behind the BSD license.  Luckily there are companies like Secunia, as well as my buddy's firm that acknowledge their flaws for them.