In a development which may mean good or bad news for the partly-eaten-fruit-themed prestige computer firm, it has been revealed over the festive season that the US Army is increasing its use of Apple Macs. An article in Forbes magazine revealed the military's (rather limited) newfound passion for Steve Jobs' high-priced Unix …
Register, lets get with the program in 2008, OK
This whole safety because of obscurity issue is really getting old. If it were true, there would be, what 2000 - 3000 viruses running for the Mac?
Afterall, just look at the percentage and what about the prestige of being the first to produce a Mac virus running wild in the, er , wild. :-) Could it be that without IE and all the old open back doors on computers that run Windows, its just harder to get into a Mac or Unix machine??? Huh???? Just maybe?????
Happy New Year and lets be just a little more open minded, ok?
Three Little Pigs?
Only in the bolderized, disneyfied version do the first 2 pigs get away. The honest Grimms at there girmmest have the first to turning into pork chops. Ha!
Charlie Miller's analogy of the three little pigs is amusing but irrelevant. One has to wonder about the motivation for uttering such nonsense. Cui bono?
That said, it's an interesting question whether "security through diversity" is real or illusory. It's a good meme, but questionably anything more. Has any serious researcher investigated the matter? Likely more a matter for the logicians and philosophers to look into rather than the technical wonks.
ISTM that unless networks are designedly resilient in the face of single-element failures, possibly widespread, platform diversity is a red herring. Example: the inherent design of the internet is supposed to be highly resilient, but all too often we read of major outages traced to the malfunction of a single router or something equally silly.
The Minneapolis freeway bridge that fell down may be analogous, having been designed with no structural redundancy. One bolt rotted thanks to pigeon poop and road salt and bingo! down the whole thing came. Maybe.
You're the best!
Waiting for Spinning Beach Ball to stop ... Artillery says
I can't see it now ...... "Charlie 24, where's that Artillery for the Al Quida position!! They're beginning to over-run us, we're dying out here!!"
"Artillery here, can't start the bombardment to save your lives till this damn OS X Spinning Beach Ball of wait n wait n wait stops again ..... oh shit, that last buggy OS X update has killed our Artillery engagement sighting application! ..... god damn Fu*#in Stevie Gods and Apple ..... "
"Charlie 24, we're being over run!! Start up that ol HP notebook running Windows FAST and get us some Artillery!!!"
CAC for Mac?
Let me snobbishly say that there's already plenty of cack for Mac available. Mwahaha.
Not that I actually care. Plus, loved the three little pigs story. Time on hands, maybe?
"Had straw-house piggy not been part of a diversified porcine defence strategy, his brothers would have also been in straw houses and all would have become wolf chow."
Not necessarily. With the kind of budget that military I.T has, you'd expect them all to be living in custom made reinforced concrete bunkers.
Relying on any publicly available OS isn't "security through obscurity", it's just plain obscurity. If the windows attacks don't work, there is a limit to how many other OSs they could be running, all of which have security holes. A custom OS to which the public has no access at all might actually offer some security value.
Security through obscurity?
The use OS/2!!!
About 0S X security
This article repeats an often heard assertion that there are no viruses for Mac OS X because it's a minority interest platform, too small to be attractive to hackers. This sounds plausible but it's unrealistic, particularly given the growth of Mac sales over the last couple of years. Any successful virus for OS X would earn a huge amount for its author, both in money and in reputation.
On this subject, there is only one certain fact: there are no widely circulating viruses for OS X. There were a few for Classic Mac OS, and some vulnerabilities have been identified in OS X that could provide an attack path for a virus. Some of these have appeared in code from Apple but most have been in third party products, including open source software bundled with OS X. Apple has a good record of plugging these holes before they are exploited and OS X doesn't present a target rich environment for the few that have succeeded in by-passing its perimeter defences.
The easy assertion that Apple's good security performance is because no-one cares about OS X is no more than propaganda. It's a dishonest way to conceal the real reason why OS X is so much more secure than Windows - Apple has done a much better job than Microsoft.
The Register undermines its credibility by repeating dishonest propaganda.
I mean after all come the apocolypse the last thing you want is windows for warheads crashing and you a literal blue screen of death. Brings new meaning to fatal error.
They will have to make some cute but not very functional apps to preload on there
"An article in Forbes magazine revealed the military's (rather limited) newfound passion for Steve Jobs' high-priced Unix boxes."
Last time I checked, an Xserve comes in at a similar price to a similarly specced Dell server running Server 2003 with a handful of CALs (compared to unlimited CALs included with the Xserve). I'm sure the price differential is greater when considering a Linux/BSD box but I don't see anyone complaining about the cost of Windows based servers to the same degree that Apple gets. Bit of balance please.
"high-priced Unix boxes" Same tired old argument. As many have said before, compare like with like and you'll find very little difference in price. Sure you can go into PC World and buy a laptop for £300, but it'll be of very little value except as a paper weight to anyone in the real world.
Lack of "app software"? Like what?
As for security, at present (and I emphasise 'present') there are no exploits which can lead to control or infection of standard Macs out in the wild. Yes there are reports of vulns but still no reports of actual living hacks by oriental miscreants or otherwise gaining access to Macs via the interweb.
Seems to me a safe bet so far by the military...
Given Forbes lack of any ethics or knowledge with regards to technology reporting, I'm surprised you gave them the free plug. They don't report on the technology, they merely provide a paid-for "3rd party" opinion for those companies that have paid them enough.
Bully to them for having grabbed a share of that market, but it's unfortunate that their disclaimers aren't quite as upfront as their astroturfing.
Gotta like that phrase! All software needs to be for that matter.
It seems to me that most of the "lupine-halitosis" problems come from a town in Washington State (USA). Then again, I'm a bit partial!
Another question: Do penguins suffer from the same problem as the pigs, or does the wolf just freeze up?
Seems like if they really wanted security and diversity... openBSD would be a nice choice.
But they'd probably have a hard time spending as much for a 1U openBSD machine as they could spend on the xserve, and we all know how much governments like spending money.
every macaphile worth his salt know's that the apple logo has a dent and not a bite mark. This apparently represents the apple that fell on Newtons head - spurning his theory on gravity.
Incidently, Newton nicked this Theory from Robert Hooke. So he was probably just bullshitting about the whole thing and was probably having a wank under an apple tree - such was the life of a dandy back in the lazy days of the royal society.
Pulled down to strength of weakest link? Maybe, maybe not
It really depends on what an organization is doing, doesn't it? If the purpose is to keep data secret, then the most porous OS will let everything out the door (or the wolf in). If the purpose is to provide services, then having a diversity of OSes is a strength, as each one takes a different technique to compromise it.
Anyways, nice of the Army to look outside of the Windows box.
Mark this day in your calendars
At last, people promoting security through simplistic generalisation and inappropriate metaphor!
Here, we've been obsessing about choosing the right tool for the job, sweating over identifying risks and toiling over appropriate mitigation of those risks to acceptable levels when we could have just replaced everything in the server room with whatever gear hackers weren't hacking the week we were shopping for new kit - all thanks to a top-brasser reading a brochure and a security maven reading mother goose and neither quite catching the drift...
not new, but food for thought
Forgive me but this is a old news. I suppose it is mentioned because Apple news always causes traffic and MWSF is upcoming.
The three little piggies defense is ill-considered. Right now, with most XP installs, the big bad wolf has a key. In fact the wolf moonlights as a locksmith.
I do not know if an Apple computer will eventually have comparable security to a locked down Vista machine but I'd like to think that the added competition will make both Apple computers and Windows computers more secure.
I have more faith that competition will provide a significant incentive to create secure processes.
Hmm I could sort of understand using a Mac as a desktop, that might increase the level of security from the suers point of view.
But Apple servers? What is wrong with Solaris? AIX? Or even a zSeries running somethign crazy?
Wouldnt that be even more secure than some Apple server cack?
Great for peactime not so great in a time of war
This works in peace time when someone is able to swap in a spare and suffer the long wait for Apple technical support to fix the problem. It's going to be a bit harder in a time of war when the only company in the world the produces, supports, fully understands and licenses that hardware and os may no longer exist.
Personally I'd use a free, secure operating system that is fully open and runs on commodity hardware. If only something like that existed...
First FUD of 2008!
Just more Fear, Uncertainty, and Doubt from the Reg. Same old arguments...
"Macs are too expensive" - Compared to what? When you compare similarly configured computers from major manufacturers to the Mac, the prices are within $25. See here for more info - http://systemshootouts.org
"Security through obscurity" - There are 30,000,000 (that's 30 million) Macs out there. Hmmm, let's see...30 million is about half the population of the UK. Seems to be a fairly substantial number to me. Yet there aren't any viruses, trojan horses, malware, etc. on the Mac.
"No Software" - Really?!? There are about 18,000 pieces of software available on the Mac platform. And since you can run Windows natively on the Mac, that'll add an additional 22,000 programs. And since Macs are based on Unix, all of those applications will also run on a Mac. So what applications are unavailable?
The *real* security reason
I think you guys may have missed the point. They reason the US military is going for the Macs is that there is a perceived notion among the Washington illiterati, oops, sorry, I mean US senators, that, since a major US PC maker has been purchased lock, stock and barrel by the Chinese, then *ALL* PCs are compromised.
Who knows but the "Yellow Peril" may, even now, be inserting chips into the PCs which, at the stroke of midnight, will convert the PCs, transformer-like, into the electronic equivalents of the Gremlins !!
Since Macs are made by an American owned company, they must, by definition, be safer !! No nasty commie chips inside em, can there??!
If you believe all that, PH has some nice home movies to sell to you at a reasonable price. After all, a girl has to fund her lifestyle somehow, now that granddaddy is giving away 97% of his assets to charity !!
Security through obscurity is fine
If you know what it's for. It's not automatically bad. Lemme explain.
Obviously if some hardcore expert in China is dead-set on hacking your system, he'll probably weasle his way in no matter what system you have. All systems have holes.
But any system connected to the internet does have to worry about the hordes of script kiddies, bots and common virii targeted at consumer systems, and security through obscurity works fine for that.
Linux people have been relying on it for ages, actually. Take Spyware for example. Spyware can work on Linux. ~I know how to make it~. It's not hard. But since Spyware and Adware are in it for the money, and are thus market driven, nobody bothers making them for Linux.
Hence, Linux has no Spyware even though it's a snap to make it and if you don't believe it, you have no idea how it works and even less idea how Linux works.
That's what this is for, really; the random threats lurking on the internet, virii and bots that blast ranges of IPs to hit the latest common vulnerability.
And for that, it'll work just fine.
More sense than
The Brits, with Windows For Warships
"If you know what it's for. It's not automatically bad. Lemme explain."
You miss the point of the "Security through Obscurity" saying. It's not "Systems Which Are Economically Uninteresting to Attack Are Safer" (though that may also be an aspect of the situation), it's "Systems For Which the Attacker Has No Available Description Are Safer". And this is always true. But may be weak.
Using a *nix is _NOT_ "Security through Obscurity". Using a homegrown OS which only permits remote logins through specially crafted IP protocols different from TCP or UDP is.
"All systems have holes."
This is of course stark marketing bull liberally used by weakest link providers to pull everything down to the lowest level (i.e. their own). It should be "The More Complicated And Messy A System, The Higher The Likelihood of an Exploitable Fault".
"Spyware can work on Linux. ~I know how to make it~. It's not hard."
That depends on what your meaning of the word "Spyware" is. Please give details and how you want to install it.
P.S. The standard plural of "virus" is "viruses". Please leave the l33t "virii" at the communal dump.
Can anyone explain to me why military systems need *any* internet connectivity? They never used to be connected to anything, except to other military computers through secure signals networks.
Not to mention mostly running with no OS and custom software (written in ADA and such like) that was small enough to be inspected line by line for security flaws.
You do know that macs are made in the same factory, with exactly the same parts as PCs right?. macbooks are made by ASUS at the moment.
what makes macs "different" is a little bit of code in the Trusted platform module.
Re: Three little pigs.
The analogy would be correct *if* the writer had remembered that these computers are networked. Thus the situation would be more akin to the Straw house having a weakly-defended tunnel connecting it to the Brick house. ^_^
Secure operating systems
One word (or at least a series of alpha characters without whitespace): OpenBSD. Anyone who doesn't already know this is the only serious choice as far as a modern, usable operating system with good security is concerned needs to learn some industry basics. That the military haven't already standardised on OpenBSD boggles the mind, frankly.
(Note: before anyone has any digs, I'm not actually an OpenBSD fanboy; I only use it on my firewall, where I'd be a drooling moron to run anything else).
re: Security through obscurity is Fine
The example that spyware and malware is a profitable industry is excellent - but you don't take it far enough. Virus development is largely a commercial industry if you have sufficiently compromised ethics to release to the wild.
Somebody earlier argued that there are no in the wild examples of Mac Virii - imagine the prestige of being the first - working proof of concepts are out there. Go subscribe to some journals. The difference is - people with the skills to develop malware are very rarely doing it for the sheer delight of being asshats.
The majority of money to be made for people with the necessary skill set is made through hackmailing, or security consulting. Security consultants don't generally release virii to the wild - because it's too much risk. Even if it would be awesome - the excellent chances of ending up in with a criminal record puts most people off the idea of a really funny prank when they could go out and win lucrative contract after lucrative contract.
Hackmailers and puppeteers - the people who do actually develop viruses and release them to the wild - generally don't want notoriety. They generally want the only people aware of their skill set to be the people they've extorted. And Mac's don't have enough marketshare to be worth the effort - why develop solutions to target 5% of the market when you can target 90% of the market?
Mac and Linux systems are no more inherently secure out of the box then any windows system. But there is good reason to move towards Mac and Linux for high security environments - The path to robust security on the platform is well known and easily available - and commercial exploit developers are focused in other directions. Terrorists/malicious governments make use of existing source code developed by commercial black hats - hell, I know first hand of circumstances in the early 90's where an Australian state police division distributed Back Orrifice disguised as joke emails to try and catch kiddy pornographers - and admitted to such at developer conferences explaining the loophole in the law that made it legal at the time.
Malicious third parties will need to custom develop if they want to target mac/linux machines instead of just going to a hackers resource and downloading a pre-fab tool kit. It increases cost of action which is unmistakably a good thing.
Different walls, not different houses
Except that by making networks comprised of computers running multiple OSs, the US military is doing the equivalent of building a house with some walls of straw, some walls of wood, and some walls of brick.
Hackers will enter via the weakest wall.
And that wall might turn out to be the OS/X or Unix wall, who knows.
"That said, it's an interesting question whether "security through diversity" is real or illusory. It's a good meme, but questionably anything more."
Isn't around 4 billion years of evolution enough? Diversity is the reason why no killer virus has ever wiped out the entire human race (despite some good tries). There are even some individuals who for genetic reasons are resistant to HIV. If nature were let to run its course (with no medicine or vaccination development), such genes would gradually become more common, because their carriers would be more likely to survive and reproduce.
Spyware for Linux
I'm sorry, I thought virii was the standard, like radii. I dunno where I got that. Anyway...
Spyware isn't really a big deal for servers, and is a somewhat different topic from viruses, but you did ask me to explain further about spyware on Linux, so here you go:
First, understand that it's an invited guest on Windows. This is a new problem so laws against it are slow for many reasons, so these are legally legit companies making the spyware and it makes economic sense to keep it legally legit cause it's too easy to make money legally to bother breaking any laws.
It just piggy-backs with other software. Included with Bearshare or whatever file sharing program you have, or it comes in as an IE\Firefox addon or ActiveX control that a website tells the user to allow so they can get some free knicknack like a desktop wallpaper or set of IM smileys. I've seen so many people fall for it, it's frightening.
Now, your uneducated home user will be more than happy to click on the .rpm or .deb file on the website if the website tells them to so they can get ____. It's just the computer nagging them about something they don't understand. They're more than used to clicking "okay" and "shutup and work already".
On Ubuntu or Fedora (or Vista...) this will automatically pop up the root login. They log in, the program installs, bam.
It can set itself up as a daemon with super user access, access all their firefox cache and records, or open popup windows. The sky's the limit. And all it took to make it legal was to stick a mention in that EULA that came with PirateMonster or whatever.
Not that it even needs super user access. If you can get the customer to run any program - which isn't hard - you can have it create a hidden directory (the classic "..." folder? A folder called ".glib"?) to store an adware program and wedge it into the local startup scripts or Gnome or KDE config files. (Both desktops can be configured to start an arbitrary program on login.)
Remember that when we're talking about a home user's computer, the fact that a program can't run as root means very little to a spyware because the data it wants is in userspace.
You may be thinking "well all I have to do is not install it". And you'd be right. That trick works on Windows too. Linux just plain isn't special here, and neither is Mac. Not by a long shot.
But obviously user downloaded spyware isn't the biggest problem for a server in a closet.
Lemme reiterate my original point; Obviously Mac can be hit, but if they've got redundant, incompatible systems, than they'll never all be brought down by the same virus at the same time.
Obviously if some really smart foreign intelligence agency is dead set on breaking into a given system, this won't help, but it's not supposed to. It's supposed to help with the epic fuckload of random malware floating around on the net.
That doesn't mean they're not worried about foreign intelligence. It only means this particular project isn't worried about foreign intelligence. The money they spend on commercials isn't geared towards thwarting foreign intelligence either. Obviously thwarting foreign intelligence is an important thing, but there are many other things the army has to worry about.
This is one of those 'other things'.
Are you kidding? Everything is done by email, with storage and configuration management being done remotely. Check out NMCI... the world's largest intranet.
You're right. The US Gov. should get onboard with their own standards, and everything should be written in Ada for robust long-life cycle support (it's not ADA... it's a proper name, not an acronym. Named for the worlds first programmer--Augusta Ada King [née Byron], Countess of Lovelace). There was a humorous thought floated in the Ada world that M$ was just waiting for the US Gov. to contract and fund conversion of all M$ Suckware to a more robust and secure codebase under current standards (now it'd be under IEEE/EIA 12207 and specifying Ada as the HOL for use [probably Ada 2005 (ISO/IEC 8652:1995/Amd 1:2007)]). Then they get stupid amounts of money to go back and do it the right way.
DoD should just absorb the AdaOS project, which has apparently been languishing in purgatory, and develop it. Maybe get a couple of software engineers to hijack the SourceForge project, make it live again.
Keep It Simple Stupid!
It seems to me that there are two problems with security on “modern” operating systems.
• The complexity of the system.
• The erection of a “brick wall” as the main deterrent and defence.
Taking a brief look at the major modern systems that are available, one can conclude that the most complex systems are the various flavours of Windows. Each version becomes more complex. Is it any wonder that take-up for Vista is so slow? I suspect that the biggest problem for its manufacturers was that even they do not know what happens inside their OS, which leads to the sort of problems presented by Vista, for example, very late delivery of a half-written product, a cack-handed approach to security (i.e. ask the user before any operation is carried out), and virtually all of the promised new features dropped from the specification. A reasonable half-way house for Windows users is XP, which though full of holes and the same complexity, is the devil you know, it has reached a sort of maturity.
The other systems in general use are all unix type systems. These have many benefits, regarding security, and as a previous contributor suggested, the best one has to be the simplest one. His suggestion, particularly in the way he is using it, is Open BSD, being used as a firewall. If you examine the nature of Open BSD, it is a system that is totally user configurable, and you only load what you want. Therefore, it is relatively simple for a code oriented user to protect the machine from external attack.
Even the most complex unix system, probably Darwin/Aqua, is a lot easier to understand and protect than a Windows system. You can be pretty sure that even if 98% of its user base hasn’t got the faintest idea of what is going on in there, Apple has, and it is in their commercial interest to keep it that way.
So what we have are two main methodologies, unix which relies on simplicity, (this is not genuine simplicity, but simplicity relative to its main competitor, Windows), and Windows which relies on the erection of a defensive wall.
The problem with a defensive wall is that once a programmer with malign intent is over, under or around the wall, fuck knows what will happen and there is no one around to help, ‘cos even the manufacturers do not have the foggiest.
So, in conclusion, the safest system is probably the simplest one, that is configured by the company techie or the keen amateur. He/she should never rely on a brick wall as a defence, and he should in the words of the erstwhile president of the USA…. KISS – Keep it simple stupid.
Of course the best alternative is for someone, somewhere to produce a very simple binary based system (NOT text based as in unix and Windows), generated with the leanest code (assembler), one that is simple to configure by the average user, one that is designed from the ground up, to be penetrable. Let’s face it, if you can see someone nosing around you can hit them in the goolies, before they do any damage.
Watch this space!
Security through diversity
I don't think the term security through diversity is some commenter's suggest is intended to make it impossible to break the network. Its more like the way the internet was designed. ARPAnet was originally created so that taking down one node wouldn't bring down the network, of course back in the day they were concerned with nuclear attacks and not viruses and exploits.
Now, taking down one windows machine with a well crafted virus can bring down most of the network. So diversifying the stock prevents a technological potato famine. Largely homogeneous crops suffer at the strike of a single virus, heterogeneous crops will allow some to survive. Basically security through diversity brings survival of the fittest into play, which of course will probably end up in a largely homogeneous crop of machines in the long run, but those machines would hopefully (because of the evolutionary nature of software) be far more secure, the benefit of this is two fold, MS will have to improve their security or die, and software will generally become more and more secure as time goes on. This will of course benefit us all as the necessary fixes need to come from the corporations who develop the software.
Where are macs made?
uk military systems
have an air gap between the secure network and the Really secure network where they keep the important stuff. I would assume the yanks do the same. This is just a measure to prevent joe public getting spooked by stories of hackers gaining access to military systems, even if all they saw was the canteen menu.
I've worked on a few, so i know how the run things.
If the singular were 'virius' the plural might be 'virii'.
Assuming that 'virus' follows 'medicus' and not 'cursus', a person trying to show off his Latin would form the plural as 'viri'. Of course, if it follows 'cursus' the plural would be 'virus'.
But English forms plurals by appending 's' or 'es' to the stem in words that are not exceptions ('oxen'); it does not use Latin forms for plurals (hence the plural of 'museum' is 'museums' and not 'musea').
- A pedant -
There are far too many pedanti on here.
I presume they are using bootcamp
I presume the army are using boot camp, how else will they get any work done? Unless the machines were bought for for use in reception, because they look nice ;-)
I recall a discussion about this some time ago... I'm too lazy to search. Anyway, 'viri' probably means 'men', and 'virii' is just a made up word intended to sound vaguely classical. I have a sneaking suspicion that the plural is in fact 'virus' (plus a - over the u), pronounces 'vi-roos'. Very dull.
OpenBSD was offered a moderately generous amount of cash by the US DOD a few years back, which was then withdrawn after the project leader Theo de Raadt said something disparaging about the war in Iraq. The money was redirected to a Sun project, I suspect.
I believe that it might well be possible for OSX to be more secure than a Windows server... I suspect it has support for potentially useful things like mandatory access control courtesy of the TrustedBSD project. Linux has similar things of course (SELinux, which I believe the NSA had a hand in) as does FreeBSD from which OSX was derived. OpenBSD doesn't support it, and once again Theo has made some colourful comments as to why he disapproves of such things.
But still, OSX seems like a baffling choice. I'd have thought some good, old fashioned UNIX Iron such as Solaris on SPARC would be the way to go, given the significant number of security-assisting features that these sort of architectures have. Solaris seems to have quite a lot going for it, if you have the cash available and sure the US military has no shortage of IT pork barrels to dole out?
It all smells like a rather pointless bit of publicity to me.
The interesting thing to me is that while many folks have "access" to the BSD underpinning of OSX, so there is some possibility of the "good guys" noticing a vulnerability before the "bad guys", Windows source is tightly controlled. Whether you think this is a good idea or not may depend on whether you remember that the Chinese government is one of the groups that has access. I tried to ask Bill Gates once whether they had filed any security-related bugs, but got cut off. Either answer would have been interesting.
@DeFex and @Niall Campbell
I know !! In fact, I've even been there. Hence that last paragraph.
And if you took that Mac paragraph literally, then I have a bridge in Brooklyn to sell to you !! Cheap !! Cheap !! Only one previous owner !!
@virii - shows a sad lack of classical education around here. But then, that's to be expected. Perhaps a copy of "Latin for Dummies" might be of use !!
Can an apple server keep out Deceptcons who try to hack the network?
- Put down that Oracle database patch: It could cost $23,000 per CPU
- The END of the FONDLESLAB KINGS? Apple and Samsung have reason to FEAR
- Pics It's Google HQ - the British one: Reg man snaps covert shots INSIDE London offices
- Review Porsche Panamera S E-Hybrid: The plug-in for plutocrats
- Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade