--On Tuesday, February 28, 2006 11:03:12 -0600 Stef <stefmit@gmail.com>
wrote:
If you look at the [very, very] specific paragraph I was referring to,
from Paul's email, then I hope you will agree with me that what I was
trying to convey was the need to avoid generalizing categorization of
users ... having said that, the implications are that a much higher
awareness, and - in turn - possibility of addressing and/preventing
issues related to vulnerabilities exists in the Mac community, vs. the
Windows one, for example.
Let's see. I use Windows XP, Mac OS 10.3.9 and FreeBSD 5.4 SECURITY daily.
Therefore all three platforms obviously have a much higher awareness of
security issues, right?
At least that *seems* to be your logic.
The fact is, as a community, Mac users have the belief that their system is
"secure" - that they have nothing to worry about. *Of course* there are
Mac users that are astute and fully understand the risks. Just as there
are Windows users who are the same way.
Just because the geeks have taken to the Mac OS doesn't mean its community
has raised its level of awareness more than a nanometer or two. In fact,
when I sent a campus-wide announcement about the recent shell
vulnerability, the *majority* of comments that I got from users *within* IT
was, "You're spreadying FUD. Mac's are not anywhere near as risky as using
Windows." Professors and others emailed me asking, "What do I need to do
to be safe?"
If you think the Mac you're using is secure, I encourage you to go try to
run the poc that Secureiteam posted. Just be sure to bring a clean pair of
drawers with you.
I've used Windows since it first came out. I've never had a single virus
infection, never had a single machine hacked, never had an incident of any
kind. Does that mean Windows is "secure"? Of course not! The idea that,
because you are using a Mac, you have less to worry about, is just as silly
as the idea that, because you're using Unix, you have less to worry about.
Guess which platform get's hacked the most here? (Hint - it ain't Windows.)
In *general*, the hosts that are the most risk are the ones that are the
most poorly maintained (if they're maintained at all), and the OS they are
running is irrelevant. There's only one OS that I know of, on this campus,
that has never been hacked, and it has nothing to do with the OS and
everything to do with how it's maintained and how it's protected (and no, I
ain't telling you what it is.)
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
