Pants vs Underpants

It always irks me going to the UK hearing underpants referred to just as pants. I know that it’s just a regional difference, but still. It never made sense to me to call underpants pants, and then all pants trousers. Then it came to me…, by limiting the word pants to just underpants, there is then no way to refer to the entire set of non underpants below waist clothes. See, in US English, pants can refer to trousers, jeans, cords, sweatpants, slacks, shorts, parachute pants…whatever. With underpants being clear because they go under pants. With UK English, this doesn’t work. With pants relegated to meaning underwear, there is no word equivalent to pants in US English to refer to pants as a whole. You can refer to trousers as trousers, jeans as jeans and so on, but there is no word to refer to pants as a whole unless you go with trousers, which can be ambiguous. This is obviously a meaningless point as everybody understands each other and this problem never comes up as it is always obvious what is meant in context. Still, I think it’s interesting that one word for underwear can be said to have a disadvantage at all, as more often than not different words have no difference except as a result of perception.

How do people consider Astrology seriously?

It bugs me how many people I know that lend credibility to Astrology. So, I decided to rant about it here. People will probably point out I’m not saying anything new here, which is true. Even so, I want to rant and try to aggregate all the sources and arguments I have found in one place. People may find it useful – my goal is that for rational people to read this, they will no longer be able to make a rational argument justifying or defending modern day astrology. There have always been people skeptical of astrology, for example Francesco Guicciardini (1483-1540), a papal adviser, wrote: How happy are the astrologers if they tell one truth to a hundred lies, while other people lose all credibility if they tell one lie to a hundred truths.Yet here we are in 2011 with horoscopes in every newspaper printed around the world, with people taking it seriously and to various extents using it to guide their life.

I have never understood how people can believe in astrology with any degree of seriousness. I understand some people just see it as entertaining except for many people it goes further than entertainment. Many people might get a tattoo of their horoscope honestly believing that their sign defines their personality. Others take it further defining selecting the people they date or have relationships with based on their compatibility or making big life decisions based on their horoscope. It’s interesting to me because people who believe in astrology are making exactly the same mistake as people who believe in various religions, yet often I hear people dismiss religion and claim to embrace science while also still subscribing to astrology. How can people be so stupid?

This year started off with an interesting astrology headline being in the news, when a Minnesota newspaper published a story claiming the signs had now changed dates to account for the moon’s wobble as well as a new sign, Ophiuchus, being introduced. Never mind the fact that western astrology is not affected due to using a tropical zodiac as opposed to a sidereel zodiac or the fact that the horoscope dates are about 3000 years off anyway, it still made the news and caused somewhat of a panic, highlighting just how ignorant people are of the things they put their faith in. So, western astrology uses a tropical zodiac which is based on seasons. What about the different hemispheres? Are the predictions reversed just as the seasons are? What I found interesting was people’s reactions to this story. It was clear that most people did not understand the system they decided to base their decision on, and that some people are so attached to it that they refused to accept the possibility that they may have to let go of their sign. Despite it being well known it was the first time many people had heard of it, yet it didn’t shake their faith at all.

Looking at various surveys it seems at least 1/3rd of Americans think astrology is a valid discipline with even more considering it to be scientific. That number isn’t too far removed from that of other western countries which isn’t so bad. It is far worse in other countries such as India where it was ruled to be a trusted science and is taught in universities. It’s just a shame to see so much of the world displaying stupidity to such a level. First of all (and this goes for religion as well) why would you consider the astrology of your culture to necessarily be correct? There are many different types of astrology and they tend mutually exclusive. What are the chances that the astrological system used where you happened to grow up also happens to be the correct one, given as only one can be correct?

Surely if there were anything to astrology, we would see some consistency in the observations made by all the different astrological systems. It doesn’t matter if they get some minor details wrong or personality profiles differ…., but there should at least be something quantifiable. That there isn’t would seem to support the theory that all astrological systems are purely interpretive and speculative deriving from the culture they develop out of. It’s hard to try and disprove some of the claims made by astrology due to them not being falsifiable. However every test we have done has demonstrated that any astrological prediction is no more reliable than what is expected by chance. Even the studies we have done with twins have failed to find any inkling of evidence for astrology. One study followed over 2000 people born just minutes apart for decades and failed to find any evidence of meaningful similarities. The closest we have ever come to finding something meaningful that may support astrology was the interesting correlation known as the Mars effect , although even this was meaningless simply being explained by selection bias.

It just seems so ridiculous that people take this seriously, and that it is lent credibility from governments and academics. It is a guarantee that most daily horoscopes with contradict each other rather than harmonize. There is no evidence for any terrestrial body having any causal affect on personality or events in life. At the most a sometimes meaningless correlation might be found. Astrology is only evidence of people having a desire to defer to fatalism, lessening the burden of life by taking solace in the fact that some decisions are outside of their control. This type of ignorance is dangerous and we as a society should take steps to correct it rather than embrace it. What can we do apart from educate people as to why it is bunk? People should be free to believe what they like, but we should prevent astrology being taught as though it were science.

On a somewhat unrelated note I always thought was interesting was that it always seems that far more women believed in astrology than men. Anecdotally that seems true, but I can’t actually find any information on this. It does seem that there is far more astrology advertising targeted towards women in magazines and on women’s television networks and I would wager that the advertising companies did their research. One theory is that women are not more likely to believe in paranormal theories than men, just that they tend to believe in more social paranormal phenomena while men tend to believe in creatures or entities. It isn’t really relevant but I can’t but help find that interesting.

What about the accuracy of signs for personality descriptions? Many people dismiss the daily horoscopes yet still cling to the idea that the zodiac personality profiles are accurate. Well, after searching several sources to try and find a consistent description for my sign, as a Cancer I apparently hold the following traits:

• I am a hoarder, collecting things and keeping for a long time, things which others would tend to discard.

• I am overly emotional, very prone to mood swings and showing whatever emotion I am feeling in expressively.

• I am artistic. As I am so emotional art serves as an outlet for my excess emotional energy.

• I crave and adore attention, like being the star of the party.

• I have a great sense of humor and it is one of my stronger points.

• I likely have a tendency to be patriotic.

Well….those traits are either entirely inaccurate or so general as to apply to far more than 1/12th of the population. I am far from a hoarder, traveling around the world with all but a messenger bag full of essentials. I tend to be less emotional than most people, not more, which is actually the cause of some problems in my personal life. I have literally zero artistic ability. I can’t draw even the most simplest of shapes with any degree of accuracy. It’s true that I like attention and many people think I have a great sense of humor, however I am not patriotic in the least, and don’t think much of those that are. So, the only two traits which are actually accurate are extremely general, probably occurring in other sign profiles as well. It’s based on these profiles that people are deciding relationships and making serious life decisions. Such a shame.

In my case my sign profile tends to be more inaccurate than not, however in many cases people will feel that their profile is eerily accurate. This is easily explained by what is known as the Forer effect, where a statement seemingly tailored to an individual will consist of entirely general statements, which the individual then interprets in a specific way relevant to themselves. The name comes from an experiment where the following statement was given to a group of people:

You have a great need for other people to like and admire you. You have a tendency to be critical of yourself. You have a great deal of unused capacity which you have not turned to your advantage. While you have some personality weaknesses, you are generally able to compensate for them. Disciplined and self-controlled outside, you tend to be worrisome and insecure inside. At times you have serious doubts as to whether you have made the right decision or done the right thing. You prefer a certain amount of change and variety and become dissatisfied when hemmed in by restrictions and limitations. You pride yourself as an independent thinker and do not accept others’ statements without satisfactory proof. You have found it unwise to be too frank in revealing yourself to others. At times you are extroverted, affable, sociable, while at other times you are introverted, wary, reserved. Some of your aspirations tend to be pretty unrealistic. Security is one of your major goals in life

They were asked to rate it’s accuracy on a scale of 1 – 5, with the average score being 4.26. The statement is so general and vague that of course people are going to be able to relate it to themselves. The problem is that not enough people seem to be aware of this basic psychological phenomenon, thus wasting millions of money and fraud and continuing a cycle of ignorance which only hinders our progress.

We shouldn’t dismiss astrology entirely as it is a part of our history, but it should be relegated to the same status as alchemy. An interesting part of our history that we now know is false, but is useful is seeing how we arrived at the modern disciplines of psychology and astronomy. Much like alchemy spawned chemistry astrology played a part in initiating the science of astronomy. Looking at the parts of astrology that relate directly to astronomy, they were not bad for speculative guesses and the same goes for the psychological parts. It’s just that now we understand the two are not tied together at all. The idea that we were somehow controlled by the stars has been questioned ever since the idea was first proposed, to see it still being taught and practiced seriously in modern day when we know better is appalling. We should always dismiss astrology as 100% bullshit but this doesn’t mean the part it played in our history.

It is also important to consider the possibility of an as yet undiscovered force. To do this we have to look at Astrology at a more abstract level, which means disregarding all the various systems of astrology we have today or have had throughout history, and simply considering the possibility that there is a force that can have an impact on individuals born at certain times that is so far immeasurable. Well, that is extremely unlikely, but we can’t rule it out completely. By the same token, there is absolutely no reason to consider that as likely. Phil Plait of Bad Astronomy does a pretty good job explaining why astrology could not possible be due to any known force or an unknown force here. I feel he prematurely dismisses that possibility of an unknown force by making a lot of assumptions about the hypothetical unknown force, however I don’t know nearly enough about physics or astronomy to say why he might be wrong.

While Astrology is often seen as harmless in reality it has consequences for society. It undermines real science and makes fighting pseudoscience such as this that much harder because people are not willing to accept that something given so much credibility may in fact be completely bunk. It makes it harder to defend vaccinations, to debunk homeopathy or anything similar. Ideally astrologers should be legally forced to have disclaimers saying astrology can only be considered as entertainment and there is no reason to take it seriously, although I don’t see that happening any time soon.

References

1. http://www.randi.org/encyclopedia/astrology.html – Article on astrology from the Randi encyclopedia
2. http://www.startribune.com/newsgraphics/113661579.html?elr=KArks7PYDiaK7DUoaK7D_V_eDc87DUiacyKUbPi87EK_g:D_GD7EaDh_0c:aD:aUr – Star Tribune article on new sign Ophiuchus
3. http://news.blogs.cnn.com/2011/01/13/no-your-zodiac-sign-hasnt-changed/?hpt=C2 – CNN article explaining why peoples signs did not change.
4. Forer effect – Wikipedia, the free encyclopedia Wiki page on the Forer effect
5. http://www.telegraph.co.uk/news/uknews/1439101/Astrologers-fail-to-predict-proof-they-are-wrong.html – Article about the most comprehensive study done on astrology
6. http://en.wikipedia.org/wiki/Mars_effect – Wiki page on the Mars effect
7. http://www.smh.com.au/opinion/blogs/sceptic-science/do-women-want-to-believe-20110105-19fr2.html – Do more women believe in the paranormal than men?
8. http://www.astrology-online.com/cancer.htm – Personality profile for Cancer.
9. http://www.badastronomy.com/bad/misc/astrology.html”> – Phil Plait on Astrology
10. http://www.youtube.com/watch?v=haP7Ys9ocTk – YouTube – Derren Brown onAstrology
11. http://www.youtube.com/watch?v=Iunr4B4wfDA&feature=related YouTube – Carl Sagan on Astrology
12. http://www.scientificamerican.com/article.cfm?id=patternicity-finding-meaningful-patterns Interesting article about how people find patterns where there are none.

OS X – Safe, yet horribly insecure

Introduction

I have had this article planned since the end of 2009 and have had it as a skeleton since then. I wanted to point out the many problems with OS X security and debunk the baseless myth that OS X is somehow more secure. Despite 18 months passing by before I managed to finish it, not much seems to have changed. I think I am publishing at an interesting time however just as malware for OS X is increasing and Apple are starting to put effort into securing OS X with the soon to be released Lion. There is no FUD in this article, just an analysis of the available evidence and some speculation. My motivation to write this article was the hordes of OS X users who are either blind or have been mislead by false advertising into believing OS X is somehow immune to malware and attacks.

It is one of the most prevalent myths among the computer purchasing public and to a lesser extent those who work in IT, that Apple computers are far more secure than their Windows and perhaps Linux counterparts. The word myth is precisely accurate, as OS X and other Apple software is among the most vulnerable software on consumer devices today. Apple have an appalling attitude towards security which often leaves their users highly vulnerable while hyping their products as secure, simply because they are rarely targeted. It is important before going further to note the difference between a distributed attack and a targeted attack. A distributed attack is one not specific to any one machine or network, but will exploit as many machines as it can affected by a particular set of vulnerabilities, of which OS X has had many. An example of a distributed attack is a drive by download, where the target is unknown, but if the target is vulnerable the exploit should work. Distributed attacks are used to infect large amounts of machines easily, which are then generally joined into a botnet to earn cash.

A targeted attack is more specific, where a single machine or network is attacked. A targeted attack is not blind and is specific to the machine being attacked. Distributed attacks such as drive by downloads are impersonal by nature because they must compromise thousands of machines while the motivation behind a targeted attack tends to be more personal, perhaps to steal confidential files or install some sort of backdoor. The argument always seems limited to distributed attacks which admittedly are nowhere near the problem they are for windows. This is more than likely because Apple has a very low market share of PC’s, simply making it less than worthwhile to invest in writing software to attack as many machines as possible when money is the motivation. I go into this in further detail in a later section.

Using a Mac may certainly be a safer choice for a lot of people as despite being vulnerable they are not targeted. However this is not the same as Macs being secure, something Eric Schmidt erroneously advised recently. I may be able to browse impervious to malware on a Mac at the moment, however I personally would not be comfortable using a platform so easily compromised if someone had the motivation to do so. In this article I address just why OS X is so insecure including the technical shortcomings of OS X as well as Apples policies as a company that contribute to the situation.

A trivial approach to security

One of the most annoying claims made by OS X (and Linux) users is that the UNIX heritage results in a far more secure design, making it more immune to Malware. Nothing could be further from the truth. The Unix Design is significantly less granular than that of Windows, not even having a basic ACL. The UNIX design came from a time when security was less of an issue and not taken as seriously as it did, and so does the job adequately. Windows NT (and later OSes) were actually designed with security in mind and this shows. Windows was not such a target for malware because of its poor security design; it is because the security functionality was never used. When everybody runs as Administrator with no password then the included security features lose almost all meaning. Point for point Windows has a more secure design than OS X, and is used properly the damage can be significantly minimized on a Windows machine than on an OS X machine, UNIX heritage or not.

A lot of OS X users seem to have this idea that Apple hired only the best of the best when it came to programmers while Microsoft hired the cheapest and barely adequately skilled, which not least resulted in OS X being a well designed piece of software completely free of vulnerabilities. In reality OS X machines have always been easily exploited and are among the first to be compromised at various security conferences and competitions. The vast majority of exploits that have been publicly demonstrated could have been used to write a successful virus or worm. Given how lax Apple is with security updates and any kind of proactive protection any prospective attacker would have quite a field day. The only reason this has not happened yet is not because Apple is magically more secure, it’s because no one has bothered to take the opportunity. It isn’t like no OS X viruses exist. Even without the poor approach apple takes to security, there would be no basis for claiming the design of OS X is more secure than that of other platforms.

Apple is generally months behind fixing publicly disclosed vulnerabilities, often only doing so before some conference to avoid media reporting. They often share vulnerabilities with core libraries in other UNIX like systems with samba and java being two examples. They are extremely difficult to deal with when trying to report a vulnerability, seemingly not having qualified people to accept such reports. Even if they do manage to accept a report and acknowledge the importance of an issue they can take anywhere from months to a year to actually fix it properly.

People always get caught up in the hype surrounding viruses and how OS X is seemingly impervious while forgetting that that is not the only type of threat. Personally for me, malware is a minor threat with the impact being negligible as long as you follow basic security practices and can recognize when something looks out of place. The idea of someone targeting me specifically on a network either because it is so vulnerable that it is child’s play or because they want something from my machine is far more worrying. This is significantly harder to protect against on OS X when you can’t rely on the manufacturer to issue patches in anything considering a prompt timeframe or even to acknowledge that vulnerabilities exist. Given that this is the Apple philosophy, it is hard to pretend to be safe on an Apple machine.

Examples and details

Every OS except OS X has a full implementation of ASLR, stack canaries, executable space prevention, sand boxing and more recently mandatory access controls. OS X doesn’t even try to implement most of these basic protections and the ones it does, it does poorly. I don’t understand why security folk use OS X at all, given its plethora of problems. Yes, they are pretty and yes it is UNIX and yes you are every safe using it, but given security folks tend to be working on various exploits and research that they would want to keep private, using a platform so vulnerable to targeted attacks would not seem to be the smartest move.

Apple to date do not have a proper DEP or ASLR implementation, two well known technologies that have been implemented in other OSes for the last five years. Apple did not bother to implement DEP properly except for 64bit binaries, and even then there was no protection on the heap even if it was marked as non executable. Apple technically implements ASLR but in a way that they may not have bothered. The OS X ASLR implementation is limited to library load locations. The dynamic loader, heap, stack or application binaries are not randomized at all. Without bothering to randomize anything except library load locations their implementation is useless aside from perhaps preventing some return to libc attacks. We can see using the paxtest program from the PaX team (the same team who initiated ASLR protections on PC’s) that OS X fails most of these tests (Baccas P, Finisterre K, H. L, Harley D, Porteus G, Hurley C, Long J. 2008). Apple’s decision not to randomize the base address of the dynamic linker DYLD is a major failing from a security point of view. Charlie Miller has demonstrated how a ROP payload can be constructed using only parts of the non randomized DYLD binary. Snow leopard unfortunately did not improve on things much except to add DEP protection to the heap, still only for 64 bit applications. This means that most of the applications that ship with OS X (including browser plugins) are far easier to attack than applications on pretty much any other platform.

The firewall functionality in OS X is impressive, but hardly utilized. The underlying technology is ipfw powerful and more than capable of protecting OS X from a wide variety of threats, however Apple barely utilizes it. The OS X firewall is disabled by default and application based meaning it is still vulnerable to low level attacks. Even if the option to block all incoming connections was set it didn’t do this, still allowing incoming connections for anything running as the root user with none of the listening services being shown in the user interface.

Apple introduced rudimentary blacklisting of malware in Snow Leopard via xprotect.pilst, which works so that when files are downloaded via certain applications they set an extended attribute which indirectly triggers scanning of the file. However many applications such as IM or torrent applications do not set the extended attribute, thus never triggering the Xprotect functionality. A fine example of this is the trojan iWorks which was distributed through torrents, and never triggered Xprotect. At the moment it can only detect very few malware items, although as a response to the MacDefender issue this is now updated daily. Only hours after Apple’s update to deal with MacDefender was released a new version that bypasses the protection was discovered, highlighting the shortcomings of the Xprotect approach. Since it relies on an extended attribute being set in order to trigger scanning, any malware writer will target avenues of attack where this attribute will not be set and for drive by download attacks it is completely useless. Still, it is a good first step for Apple acknowledging the growing malware problem on OS X and starting to protect their users.

It has been a shame to see the sandboxing functionality introduced in Leopard not being utilized to anywhere near its full capacity. Apple are in a unique position where by controlling the hardware and the operating system they have creating a truly homogenous base environment. It would be very easy to have carefully crafted policies for every application that ships with the base system, severely limiting the damage that could be caused in the event of an attack. They could go even further and import some of the work done by the SEDarwin team, allowing for even greater control over applications. They would not have to present this to the user and would probably prefer not to yet doing so would put them far ahead of all the other operating systems in terms of security at this point.

Security wise Apple is at the same level as Microsoft in the early 90’s and early 2000’s. Continuing to ignore and dismiss the problems without understanding the risks and not even bothering to implement basic security features in their OS. With an irresponsible number of setuid binaries, unnecessary services listening on the network with no default firewall, useless implementations of DEP and ASLR and a very poor level of code quality with many programs crashing with a trivial amount of fuzzing Apple are truly inadequate at implementing security. This still doesn’t matter much as far distributed attacks go, at least not until Apple climbs higher in market share but I really dislike the idea of someone being able to own my system just because I happened to click on a link. At least with Apple giving regular updates via Xprotect and including a Malware help page in Snow Leopard we have evidence that they are starting to care.

An appalling record

A great example of Apple’s typical approach to security is the Java vulnerability that despite allowing for remote code execution simply by visiting a webpage, Apple left unpatched for more than six months; only releasing a fix when media pressure necessitated that do so. When OS X was first introduced the system didn’t even implement shadow file functionality, using the same password hashing AT&T used in 1979, simply relying on obscuring the password via a pretty interface. This is indicative of the attitude Apple continues to have to this very day, having a horribly secure design at the expense of convenience and aesthetics, only changing when pressure necessitates it. One of the most interesting examples of this is that regularly before the pwn2own contests where Apple’s insecurity is put on display, they release a ton of patches. Not when they are informed of the problem and users are at risk, but when there is a competition that gets media attention and may result in them looking bad.

Being notoriously hard to report vulnerabilities to does not help either. If a company does not want to hear about problems that put their machines and thus customers at risk it is hard to say that they are taking security seriously. As is the case at the moment if you try and report a vulnerability to Apple it will likely get rejected with a denial and after retrying several times it may be accepted, where a patch may be released any number of weeks or months later. Apple still have a long way to go before demonstrating they are committed to securing OS X rather than maintaining an image that OS X is secure. Having a firewall enabled by default would be a start, something Windows has had since XP. Given the homogeneous nature of OS X this should be very easy to get off the ground and it may well be the case with Lion.

The constant misleading commercials are another point against Apple. Constantly misleading users that OS X is secure and does not get viruses (implying that it cannot) or have any security problems what so ever. Not to mention that they exaggerate the problem on Windows machines, they completely ignore the vulnerabilities OS X has. Most recently evidence Apple’s aforementioned attitude can be seen with their initial response to the MacDefender malware. Rather than address the issue and admit that a problem exists they keep their heads in the sand, even going so far as to instruct employees not to acknowledge the problem. To their credit Apple did change their approach a few days later issuing a patch and initiating a regularly updated blacklist of malware. Their blacklist implementation has flaws, but it is a start.

As much as users and fans of Apple may advocate the security of OS X it is very important to note that OS X has never implemented particularly strong security, has never had security as a priority and is produced by a company that has demonstrated over and over that security is a pain which they would rather ignore, leaving their users at risk rather than acknowledge a problem.

Malware for OS X increasing

While it’s true that doomsday for OS X has long been predicted, despite the predictions lacking a precise time reference. An article by Adam O’Donnell has used game theory to speculate that market share is the main cause for malware starting to target a platform, the result of a tradeoff between a lack of protection and a high enough percentage of users to take advantage of to make the investment worthwhile. The article made the assumption that all PC’s were using AV software and assumed an optimistic 80% detection success rate. If the PC defense rate were higher, then OS X would become an attractive target at a much lower market share. According to the article, if PC defenses were at around 90% accuracy, then OS X would be a target at around 6% market share. The estimated percentage from the article is just under 17%, and just as some countries have reached around that number are we starting to see an increase in malware for OS X. It may be a coincidence but I will not be surprised if the trend continues. Given Apple’s horrid security practices and insecurity it’s going to increase quite noticeably unless Apple changes their act. Aside from market share another important factor is the homogeny of the platform, making OS X an extremely ideal target once the market share is high enough.

A lot of people are saying they will believe the time for OS X has come when they see an equivalent to a Code Red type of worm, except that this is never going to happen. Worms shifted from being motivated by fame having a financial motivation, with the most recent OS X malware being linked to crime syndicates. With the security protections available in most OSes these days (aside from OS X) being more advanced it takes more skill to write a virus to infect at the scale of something like Code Red, and the people who do have that skill are not motivated to draw attention to themselves. These days malware is purely about money, with botnets that going out of their way to hide themselves from users. Botnets on OS X have been spotted since 2009 and OS X is going to be an increasing target for these types of attacks without ever making the headlines as Windows did in the 90’s.

Another contributing factor that should not be overlooked is the generally complacent attitude of OS X users towards securing their machines. Never faced with Malware as a serious threat and being shoveled propaganda convincing them that OS X is secure, most OS X users have no idea how to secure their own machines with many unable to grasp the concept that they may be a target for attack. The MacDefender issue already showed how easy it is to infect a large number of OS X users. Windows users are at least aware of the risk and will know to take their computer in to get fixed or to run an appropriate program as where it seems OS X users simply deny the very possibility. As Apple’s market share increases, the ratio of secure users to vulnerable users continues to slide further apart. With more and more people buying apple machines and not having any idea how to secure them or that they even should there are that many more easy targets. Given the insecurity of OS X and the nativity of the users, I do think it is only a matter of time before OS X malware becomes prevalent, although not necessarily in a way that will make the news. This means the problem is going to get worse as users are going to keep getting infected and not realize it while believing their machines are clean and impervious to risk.

People also have to get over the idea that root access is needed for malware to be effective. Root access is only needed if you want to modify the system in some way so as to avoid detection. Doing so is by no means necessary however, and a lot of malware is more than happy to operate as a standard user, never once raising an elevation prompt and silently infection or copying files or sending out data or doing processing, or whatever malicious thing it may do.

Macs do get malware even if it is a significantly smaller amount that what is for windows. Given the emergence of exploit creation kits for OS X it is inevitably malware is inevitably going to increase for OS X. Even if it never gets as bad as it was for Windows in the 90’s it is important not to underestimate the threat of a targeted attack. Rather than encouraging a false sense of security Apple should be warning users that it is a potential risk and teaching users how to look for signs and deal with it. The Malware entry in the Snow Leopard help is a small step in the right direction. There isn’t much Apple can do to prevent targeted attacks, except maybe fixing their OS and being proactive about security in the first place.

Much room for improvement

One thing OS X did get right was making it harder for key loggers to work. As of 10.5 only the root user can intercept keyboards, so any app making use of EnableSecureEventInput should theoretically be immune to key logging. Of course, if remote code execution is possible then that is a very minor concern. This requires the developer to specifically make use of that function, which is automatic for Cocoa apps using a SECURETEXTFIELD. Of course this does not completely prevent keyloggers from working as applications not making use of that functionality will be vulnerable to keylogging, such as was the case with Firefox and anything not using a secure text field. Of course, given the propensity of privilege escalation attacks on OS X it would not be hard to install a keylogger as root. However this is a great innovation and something that I would like to see implemented in other operating systems.

Apple asked security experts to review Lion which is a good sign, as long as they actually take advice and implement protections from the ground up. Security is a process which needs to be implemented from the lowest level, not just slapped on as an afterthought as Apple have tended to do in the past. I think the app store in Lion will be interesting. If Apple can manage to control the distribution channels for software, then they will greatly reduce the risk of malware spreading. At the moment most software is not obtained via the app store and I don’t ever expect it to be, still the idea of desktop users being in a walled garden would be one solution to solving the malware problem.

Lion is set to have a full ASLR implementation (finally) including all 32 bit applications and the heap. As well as more extensive use of sandboxing it looks like Apple is starting to actually lock down their OS, which means they understand the threat is growing. It will be interesting to see if Apple follows through on the claims made for Lion, or if they fall short much like what happened with snow leopard. Personally I think Lion is going to fall short while the malware problem for OS X will get serious, but it won’t be until 10.8 that Apple takes security seriously.

Update 1 – June 28th 2011

Updated minor grammatical mistakes.

It is amazing the knee jerk response I have seen to this article where people start saying how there are no viruses for OS X, which is something I acknowledge above. I guess people don’t care if they are vulnerable as long as there are no viruses? Then people start attacking the claim that OS X has no ACL, which is a claim I never made. I guess the truth hurts and attacking men made of straw helps to ease the pain.

References

1. http://secunia.com/advisories/product/96/?task=statistics – A list of OS X vulnerabilities.
2. http://www.telegraph.co.uk/technology/apple/8550005/Eric-Schmidt-get-a-Mac-if-you-want-to-be-secure.html – Eric Schmidt on OS X.
3. http://www.sophos.com/en-us/Search-Results.aspx?search=OSX&refine=1a1e9ea6979a493dba64e1b2ced03044 – A list of OS X viruses from Sophos.
4. Baccas P, Finisterre K, H. L, Harley D, Porteus G, Hurley C, Long J, 2008. OS X Exploits and Defense, p. 269-271.
5. http://securityevaluators.com/files/papers/SnowLeopard.pdf – Charlie millers talk on snow Leopard security.
6. http://www.computerworld.com/s/article/9217163/Mac_OS_update_detects_deletes_MacDefender_scareware_ – Apple releases an update to deal with MacDefender.
7. http://news.yahoo.com/s/livescience/20110601/sc_livescience/newmacdefenderdefeatsapplesecurityupdate – A variant of MacDefender appeared hours after Apple’s update was released.
   http://news.cnet.com/8301-10784_3-9759132-7.html – Charlie Miller talking about setuid programs in OS X.
8. http://www.zdnet.com/blog/security/mac-os-x-vulnerable-to-6-month-old-java-flaw/3433 – Apple taking 6 months to patch a serious Java vulnerability.
9. http://www.dribin.org/dave/blog/archives/2006/04/28/os_x_passwords_2/ – Apple using password hashing from 1979 in lieu of a shadow file.
10. http://www.youtube.com/watch?v=CHFy6egYcUg – Misleading commercial 1.
11. http://www.youtube.com/watch?v=iPc0NCIZz8s – Misleading commercial 2.
12. http://www.youtube.com/watch?v=cLVS3QVxhDg – Misleading commercial 3.
13. http://www.zdnet.com/blog/bott/an-applecare-support-rep-talks-mac-malware-is-getting-worse/3342– Apple representatives told not to acknowledge or help with OS X malware 1.
14. http://www.msnbc.msn.com/id/43101276/ns/technology_and_science-security/” – Apple representatives told not to acknowledge or help with OS X malware 2.
15. http://www.securitymetrics.org/content/attach/Metricon2.0/j3attAO.pdf Adam O’Donnell’s article – When Malware Attacks (Anything but Windows)
16. http://royal.pingdom.com/2011/03/16/the-10-most-mac-friendly-countries-on-the-planet/ – OS X market share by region.
17. http://www.pcworld.com/article/228961/beware_of_malware_apple_users_even_as_mac_defender_details_emerge.html MacDefender linked to crime syndicates.
18. http://www.zdnet.com/blog/bott/crying-wolf-apple-support-forums-confirm-malware-explosion/3351 – Many users hit by MacDefender.
19. https://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211 – The first exploit creation kits for OS X have started appearing.
20. http://www.networkworld.com/news/2009/041709-first-mac-os-x-botnet.html” – First OS X Botnet discovered.
21. http://www.apple.com/macosx/whats-new/features.html#security
22. https://bugzilla.mozilla.org/show_bug.cgi?id=394107 – A Firefox bug report about a vulnerability to keylogging.
23. http://www.computerworld.com/s/article/9211599/Apple_invites_bug_researchers_to_scrutinize_Lion_OS?taxonomyId=85 – Apple letting security researchers review Lion.

Update 1 – August 17 2011

A delayed update, but it is worth pointing out that this article is basically out of date. Apple has indeed fixed most of the problems with security with their release of Lion. At least this article is an interesting look back, and shows why mac users should upgrade to Lion and not trust anything before it. Despite Lion being technically secure, it is interesting to note that Apple’s security philosophy is still lackluster. Here is an interesting article on the lessons Apple could learn from Microsoft and an article showing just how insecure Apple’s DHX protocol is, and why the fact it is deprecated doesn’t matter.

Obtrusiveness in cinemas

The Alamo Drafthouse recently banned texting in cinemas. Is that too far? I don’t get why people get so upset about a tiny little screen far in front of them which they shouldn’t be paying attention to in the first place. Do people really lack the willpower to just ignore such a thing and focus on the movie? If people are talking or being obtrusive that is one thing….but people getting upset about just texting or whispering something to a partner is getting out of hand. Some people even have a fit at people talking during the previews….the previews for gods sakes! Regardless of what some people may think, the previews are not the start of the movie and there is nothing wrong with discussing them.

I think it is especially amusing that some people get so bent out of shape as part of the reason people go and see a movie at the cinema is not just the big screen and better sound, but the shared experience. People like to laugh together, to be surprised together, all of that stuff. Given how vocal Americans like to be at movies, I find it odd that being obtrusive in one way is fine, but if someone wants to do something that isn’t inherently obtrusive they have a fit about it. Clapping when a bad guy is defeated? Fine. Subtly checking a text message? How dare you!

I wish I had so little to worry about that I could afford to focus on someone taking 2 seconds to check a screen a few seats away obscured by other people or chairs rather than paying attention to the movie I paid to watch and enjoy. As it is I have enough willpower just to focus on the movie and not blow trivial things out of context. Rather than banning text messaging in a theater, perhaps we could ban the people so petty that they feel the need to complain about it?

Brisbane – The smallest downtown of any big city

Brisbane City is the third biggest city in Australia, with just over 2 million people and an area of 5904.8 km², according to Wikipedia. Out of all the cities I have been to, I have rarely come across a city with such a small downtown/CBD in proportion to the area of the city and/or population. The density for Brisbane is just 918/km² which seems crazy when you consider it is the third biggest city in Australia.

By comparison the third biggest city in Canada, a country with a comparable ratio of population to landmass to Australia, is Vancouver which has a density of 5,335/km2 and an area of 2,878.52 km2 – roughly half that of Brisbane has a downtown that is easily twice the size of that in Brisbane. Adelaide is the 5th biggest city in Australia, with just over 1 million people and an area of 1826.9 km². The density is less than that of Brisbane at 659/km², yet their CBD is roughly twice the size of that of Brisbane’s. What’s more it actually feels like a city with side alleys, more than 20 streets in total and a vibe that something is happening. Even New Orleans with its scant 350,000 people has a downtown that is larger than Brisbane’s.

Using Google maps you it is easy to see you can walk from any point to any other point in the city in 10 minutes, generally in less time than that. The Downtown in Brisbane is at most 1 km2 which is ridiculous for such a “large” city. Most people overseas have not heard of Brisbane despite having heard of Sydney and Melbourne which isn’t surprising given it tries hard to be a country town. For a city so large with population and area I think it says a lot about the culture that the downtown is so ridiculously small. I wouldn’t be surprised if it were among the smallest in the world.

I liked living in Brisbane for a while, but there is absolutely nothing to do there. The downtown is full of businesses with the odd café or restaurant. No museums or galleries or shows or….anything. There are a few clubs open at night but most of them get boring after a while, and given our potential 2am curfew there is going to be even less to do. Brisbane is a very nice place to settle down and perhaps raise a family, but there is no way I can stay there when there is so much more going on in the world. I find it hard to identify with the majority of people who stay there, going through college and getting a job and just repeating the cycle, when there is so much more beyond.

Why I don’t like StackExchange sites

The StackExchange series of sites seem like a great idea. I first discovered the Stack Overflow beta which was great…a community of peers and students learning from and helping each other. The design of the page was excellent, very simple and easy to use with a simple voting and reputation system in place. Due to the popularity of the format other sites with the same design sprung up, including Super User for user problems and Server Fault for networking stuff with a whole host of additional sites in beta.

For me these sites have largely replaced forums when I need a quick answer I can’t find elsewhere, however there are quite a few problems with the format that prevents me from contributing in any serious manner. I should stress that problems I have are not related to the design or implementation of the technology, but rather are problems intrinsic to any community moderated site.

The most annoying problem is if asking a specific question, people will make assumptions and try to answer with what they think is best for you, ignoring the actual question asked. This can be frustration and people should not need to explain their entire situation just to get a technical answer. Often the excuse for this is that it is a community orientated site so they don’t want to give an answer that could mislead or harm people, despite questions often being extremely specific. The community rationale is also used to excuse against editing posts away. If you make a specific question it may be edited to “better serve the community” which is just annoying if you need a specific answer to a specific question. The only recourse you then have is to ask your question again, or to delete your original post.

The other problem is all too often emotion and/or politics comes into play affecting the answers selected as correct. Sometimes it doesn’t matter if an answer is technically correct so long as it is popular. Windows is technically and factually more secure than OS X at present, yet any answer saying that in response to a question regarding OS security would get voted down, while a template response about how Windows is horribly insecure would likely get voted up. It’s frustrating to deal with a might is right community, but there also isn’t much that can be done about it while maintaining the freedom the community enjoys.

Lastly, some of the moderators/long time users are far too eager to mark questions as duplicates. Sathya on Super User is especially guilty of this. Sometimes questions may have similar or even identical titles, but often with computing questions the devil is in the details. A person asking the question may want a different solution, may have different needs, may have different circumstances causing the problem, whatever. Sathya simply marks anything similar as a dupe and the sheep follow. Since it only takes 4 votes to close a question it can happen a lot. It can be even more frustrating when you may want an answer in a programming context and your question gets migrated to Super User because people didn’t read it properly. Gah.

I love the technology and continue to use it, but it just isn’t worth committing a lot of time to with this kind of idiocy going on, unless you are fine with the idiocy and partake in it. It’s a shame as the technology is excellent, but people have a long way to go before we use it to its full potential.