Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Security Guide for Mac OS X

michael posted more than 9 years ago | from the take-a-bite-out-of-crime dept.

OS X 250

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

Sorry! There are no comments related to the filter you selected.

YAFP (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10663083)

Yup, yet another first post. Man, is this getting boring.

-DT

Quick guide (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10663187)

Securing Mac OS X:

1. Dont use it.
2. You're done.

Securing Linux:

1. Don't use Gentoo, because it is for pimply faced youths only
2. Don't use Debian, because their servers are hacked on a regular basis.

Securing Windows:

1. Use XP Home.
2. You're done.

FU SLASHDOT (-1, Troll)

krankykris (819913) | more than 9 years ago | (#10663084)

no one cares. slashdot moderators suck!

Re:FU SLASHDOT (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#10663413)

Normally I wouldn't reply to this, but since you didn't post as Anonymous Coward I felt compelled to look at some of your other posts.

I can tell by reading what you've previously posted, that it's not the moderators that suck. You are very opinionated, which is fine, but you seem to think your opinion is actually fact.

You're either young, or you just never bothered to learn that everyone is different, and everyone sees things differently. For example, you don't like Open Office. Many people do, and many people like it more than the commercial alternatives. So when you post saying "Open Office sucks huge." You're not saying anything constructive. You're merely expressing an asinine immature emotion.

What would be constructive is if you openly looked at the other side of the argument, and actually considered it as being true, and took a step back and re-evaluated your own opionion for a moment. If you can't see the other side, or don't even bother to try, you're not really having a discussion, you're just having a pissing content. And after you can do that, you should then be able to express your opinion in terms of why's and how come's. Ie: Not just "Open Office's interface is st00pid#!!1" but "I dislike this feature of OO because of this reason, whereas MS Office does it this way and I feel that to be more efficient."

Truthfully, you just come across as an angry person with a chip on your shoulder. If you act like this in real life I expect you to have no friends, or atleast if you do have friends you've probably manipulated them into feeling bad for you. Really they only pity you. You need to grow up, and act like a man. Cliche, but true. Suck it up, and get over the fact that life is not perfect, nor is it what you want it to be (and it never will be). And that's okay. Life is life. No need to get mad about it.

Another hint for you is not to have your sig as "FUCK YOU SLASHDOT". The only explanation for that is a) you're a angry kid with a chip on his shoulder, or b) you want to modded down. Which makes sense in the context of a) since most people like that take derriviative forms of pleasure from making their plight's self-fulfulling. What a better way to scorn the world than to be certain the world scorns you?

My advice to you is grow up, get real, and quit being such a baby.

Note that this is posted anonymously because I _expect_ the moderators to mod it down. It is offtopic and should be modded accordingly.

Oh, one final thought. You complained about the moderators modding one of your comments as "Redundant." I remember reading that story (and its comments) and you probably posted that without even reading all the comments, because I remember reading a few others with similar (but much more well expressed) sentiments. Your post was most certainly redundant.

Re:FU SLASHDOT (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10663490)

"You complained about the moderators modding one of your comments as "Redundant." I remember reading that story (and its comments) and you probably posted that without even reading all the comments, because I remember reading a few others with similar (but much more well expressed) sentiments. Your post was most certainly redundant."

I am not the grandparent....

Just yesterday I posted something that made it to +5 insightful, and was coincedentally the first post. Now its down to +2 after picking up a couple of redundant mods. How the fuck can a first post pick up a redundant mod?

I agree grandparent is childish, but I also agree the moderators smoke crack.

Re:FU SLASHDOT (2, Funny)

berbo (671598) | more than 9 years ago | (#10663644)

I agree grandparent is childish, but I also agree the moderators smoke crack.

Not all of us - some of us prefer Guatemalan insanity peppers.

Random/incorrect moderation (0)

Anonymous Coward | more than 9 years ago | (#10663709)


"Me too"

some moderators really really really don't know what the hell they are doing. If you're going to use those mod points, RTFA and read the threads before you mod.

Why doesn't meta moderation weed out thes fools?

Jurrasic Park on OS X (2, Funny)

AKAImBatman (238306) | more than 9 years ago | (#10663096)

Lex: "It's a UNIX system! I know this!"

Re:Jurrasic Park on OS X (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10663202)

first frickin' post (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10663097)

first frickin' post!!!!!!!!!!!!!

New Government-Oriented Commercial? (4, Funny)

American AC in Paris (230456) | more than 9 years ago | (#10663103)

(voiceover)

Step 45,328:

There is no step 45,328. There is no step 45,328...*soft weeping sounds*

Re:New Government-Oriented Commercial? (0, Flamebait)

krankykris (819913) | more than 9 years ago | (#10663232)

hah this is funny. /. moderators have their heads up their ass.

Re:New Government-Oriented Commercial? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10663327)

I concur. The mods are on crack.

Re:New Government-Oriented Commercial? (1, Redundant)

drinkypoo (153816) | more than 9 years ago | (#10663682)

hah this is funny. /. moderators have their heads up their ass.

The problem is that moderators don't actually bother to follow the moderator guidelines. Another problem is that there is no real forum for discussing problems with moderation, so you have to do it in your journal or under a story, where it typically is moderated as offtopic of flamebait. I'm waging my own ineffectual little war against those moderators in metamoderation by marking any negative moderation of comments about failings of editors or moderators unfair, and I urge the rest of the slashdot readership to do the same. The most important thing you can do, of course, is metamoderate.

The other problem is that you can comment on a story, or you can moderate it, but not both; this guarantees that only people who have nothing interesting to say about a story are allowed to moderate it. In other words, the people best qualified to moderate are the people who aren't moderating the story. Proof-positive that something is rotten in slashdotville. The entire moderation system needs a major overhaul and I don't see it happening any time soon :P

Steps (-1, Troll)

strictfoo (805322) | more than 9 years ago | (#10663107)

1. Uninstall
2. Install OpenBSD
3. Cry because pretty hardware doesn't increase perfomance or productivity
4. Have a sex change

Re:Steps (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10663124)

you offcourse forgot: ...
5. Profit

What about... (4, Interesting)

Staos (700036) | more than 9 years ago | (#10663112)

I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.

OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.

About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.

Re:What about... (2, Insightful)

0racle (667029) | more than 9 years ago | (#10663426)

I don't see how simply having a centralized 'This app needs Admin access' form makes it any harder to write malware for a system, any app could trigger that function and make the request. Windows also has a single Ask for Admin form, all you have to do to trigger it is name an application setup.exe and it will ask if you want to run it as Administrator or not and I'm sure thats not the only way.

Malware is hard to code on Linux and *BSD not because of some standard or non-standard way of asking for access, but because of years of very intelligent people asking themselves how can we safely do that. OS X's polished GUI functions are over and above that to present the nice base OS in a non-threatening way.

Re:What about... (2, Informative)

Englabenny (625607) | more than 9 years ago | (#10663530)

Fortunately internet explorer is discontinued

Re:What about... (2, Insightful)

evilviper (135110) | more than 9 years ago | (#10663563)

As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

That would make it EASIER to spread worms/viruses than a normal Unix system, NOT harder. In Unix, attempts to access resources you don't have permissions to, just fail. If it pops up a window that says "would you like to give this program access" then you're just as screwed as the rest of the world... That's because people are stupid and click yes without knowing what they're doing. If it's piggybacking on some other installation (browser plug-ins or other 'gee wiz' features) then users wouldn't have the slightest reason to suspect anything.

Note, though, that this is only for viruses/worms, because spyware doesn't need root access to do it's job. It can spy on you in user-land just fine. It can change your browser proxy settings without root access, and pop-up ads from competing sites without root access. Am I missing any annoying features?

Re:What about... (4, Insightful)

Anonymous Coward | more than 9 years ago | (#10663687)

Not sure if this would make it more secure for the OS challenged, but when it asks for administrative permission it asks for a password. If an office admin wants to keep the OS X's in the office secure, just don't give the secretaries the password for their computers. If they need to do anything which requires the password, they have to ask the computer guy and he can say, "So why do you need to see nude pictures of Brad Pitt again?"

Lack of safety in numbers (4, Funny)

YetAnotherName (168064) | more than 9 years ago | (#10663113)

Given how entrenched Micro$oft's clutches are into the US Government, a security guide for Windows based systems would be even more useful.

(I work for NASA; almost everyone in our group has Mac OS X on our desktops and Linux in the server room. Our supervisor is the only Windows user. Yes, he's developing pointy hair.)

Re:Lack of safety in numbers (3, Informative)

Scutter (18425) | more than 9 years ago | (#10663141)

How about this [nsa.gov] ? There are several linked off that NSA page besides this one.

NSA Guide to securing Windows computers (4, Funny)

Roadkills-R-Us (122219) | more than 9 years ago | (#10663423)

Step 1: Pack Windows system in appropriate shipping container
Step 2:Mark container "Target"
Step 3: Have courier deliver container to nearest FBI shooting range

Re:Lack of safety in numbers (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10663151)

You should check out the sight such guides have been available for years. See Mac users are thick twats

Re:Lack of safety in numbers (4, Funny)

lachlan76 (770870) | more than 9 years ago | (#10663153)

Had you not brought down the NSA website, you would find them here [nsa.gov] .

Re:Lack of safety in numbers (3, Insightful)

hbackert (45117) | more than 9 years ago | (#10663172)

Did you click on the second link in the story? There's a lot for Windows See under "Operating Systems".

Given the fact that I don't use MacOSX, I checked out the Cisco one some time ago and it's quite impressive. Lots of common sense things of course, but some good ideas I would have otherwise not thought about. Definitely recommended.

It's nice to see government agencies not waste our (sorry: your) tax dollars and instead produce something useful and not hiding it in one of their many shelfs.

Re:Lack of safety in numbers (1)

buzban (227721) | more than 9 years ago | (#10663435)

It's nice to see government agencies not waste our (sorry: your) tax dollars and instead produce something useful and not hiding it in one of their many shelfs.

I agree that useful government work in this area is great, and i don't mean to assail this poster....but getting things even further out there (i.e., not on a somewhat-obscure sehlf, but somewhere where my clueless, windows-using family would find it.). Wonder if there's a better way that NSA could promote this stuff so that everyday (non-power-) users would find it?

Re:Lack of safety in numbers (2, Funny)

Andr0s (824479) | more than 9 years ago | (#10663208)

A security guide for Windows-based systems ?

Talk about an exercise in futility. I'd put that book right next to Understanding Republican Mindset, Philosophical Debates of Military Intelligence and Filanthropy of Modern Man

Re:Lack of safety in numbers (4, Funny)

general_re (8883) | more than 9 years ago | (#10663359)

Filanthropy of Modern Man

I'll put it alongside my copy of Speling Fer Slahsdooters.

Re:Lack of safety in numbers (2, Funny)

Andr0s (824479) | more than 9 years ago | (#10663398)

Eh... not all of us in the world are native english speakers. Still, I trust my english spelling & grammar beats your croatian, eh?

Re:Lack of safety in numbers (1)

general_re (8883) | more than 9 years ago | (#10663429)

Just thinking of further exercises in futility ;)

Re:Lack of safety in numbers (1)

CrackedButter (646746) | more than 9 years ago | (#10663407)

Yuu cant' nock him four spelling such a werd like phat, knot when their arr werse ofendeers on teh internet. Its' the simmple werds phat anoy me moore, eveybody shold no comon engrish.

Re:Lack of safety in numbers (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10663745)

More like "Understanding the Democrat Mindset"...

You sound like a typical liberal wanker who wouldn't last a day in the military...

Re:Lack of safety in numbers (1)

Bequita (813032) | more than 9 years ago | (#10663816)

"Given how entrenched Micro$oft's clutches are into the US Government, a security guide for Windows based systems would be even more useful. "

But virtually impossible.

Re:Lack of safety in numbers (1)

skiman1979 (725635) | more than 9 years ago | (#10663935)

Did you read the summary of this article? There is a link at the bottom that shows there are NSA security guides for other operating systems as well.

These things make a nice checklist, but.... (4, Insightful)

general_re (8883) | more than 9 years ago | (#10663130)

....actually implementing everything the NSA recommends in its guides will get you a system that is both highly secure and exceptionally inconvenient for its users. It's a useful reference, to see if you've forgotten anything that you particularly want, or anything obvious, but as always, individual admins will have to decide for themselves where they want their systems to lie on the security-usability axis...

Security, Usability, Reliability (5, Insightful)

stratjakt (596332) | more than 9 years ago | (#10663167)

Pick any two.

Re:Security, Usability, Reliability (0)

Anonymous Coward | more than 9 years ago | (#10663480)

Forget reliability -- like he said, there's a point where security and usability simply clash.

Re:Security, Usability, Reliability (1)

rxmd (205533) | more than 9 years ago | (#10663483)

Pick any two.
Or less (read: Windows 95)

Re:Security, Usability, Reliability (1)

GoofyBoy (44399) | more than 9 years ago | (#10663616)

I was just about to say that Windows 95 is a good example of this point.

Loads of games still being produced which still run on 95, alot more than Macs. Usability.

And as more people move on to XP or other systems, blackhats are slowly turning their attention away from 95. Just don't use IE. Who makes new viruses for DOS?

http://www.openbsd.org (1)

Triumph The Insult C (586706) | more than 9 years ago | (#10663584)

pick all three

Re:These things make a nice checklist, but.... (1)

siriuskase (679431) | more than 9 years ago | (#10663501)

If your sig is to be believed, you are not qualified to advise on the usefulness of this guide.

Re:These things make a nice checklist, but.... (1)

general_re (8883) | more than 9 years ago | (#10663545)

Fair enough - I haven't read the OSX version, but I have read the Windows and Solaris guides, so maybe you can settle for extrapolation instead of investigation ;)

You Bastards! (5, Funny)

Anonymous Coward | more than 9 years ago | (#10663137)

Hmm the pdf is downloading at .6 k/s and dropping. Slashdotting the NSA - this qualifies for some sort of Darwin award, doesn't it? :)

Re:You Bastards! (2, Funny)

datadriven (699893) | more than 9 years ago | (#10663474)

... Or maybe it's a violation of the patriot act.

Re:You Bastards! (1)

Tibor the Hun (143056) | more than 9 years ago | (#10663495)

yeah very funny.
those punks probably now think that it was a coordinated cyber-attempt to disrupt the election, and now they've got all of our IPs.

File Vault (5, Informative)

dumitrius (686430) | more than 9 years ago | (#10663144)

This is simply the encryption of the entire user's home directory. I had this enabled on my powerbook stuffed it with a few gigs of data and it ran fine for a while... maybe like 3 months. Then one day on a reboot the thing silently lost all my personal settings and dropped me into a stock desktop configuration. Was nursing this for a week or two when I started getting garbage in some source files. Was thinking maybe the hardrive was defective but have a hunch the enctyption just went haywire and was getting worse. Turning File Vault off failed with an error. Have reinstalled the os keeping a plain text home dir and things seem dandy.

Has anyone seen this before?

Re:File Vault (1)

MagneticMountain (666496) | more than 9 years ago | (#10663179)

I have never seen it personally but I have heard stories on the Mac forums and other places of things like this happening.

I would really love to use Filevault, but I guess you could say I'm just a little scared to turn it on after I have heard stories like yours about how people have had Filevault go haywire and lose their data.

Re:File Vault (2, Interesting)

twalls (789774) | more than 9 years ago | (#10663415)

That's really sad, man. I had that happen and it scared the crap out of me (I've got a 15GB home directory). One day I logged in and it just sort of stared blankly at me with all the defaults. I blinked, told myself I was having a very bad dream, and logged off. When I logged back in, everything was fine and I breathed a huge sigh of relief! I guess I was one of the "lucky" ones. I keep using it and I haven't had any more issues... yet.

Re:File Vault (4, Informative)

eyegor (148503) | more than 9 years ago | (#10663205)

It happened to me too.... I managed to get everything back though. There was a sparse diskimage file that contained my home directory. Once I mounted it, everything returned to normal.

Your milage may vary.

Re:File Vault (2, Interesting)

Matey-O (518004) | more than 9 years ago | (#10663511)

think they coulda named it something better than 'sparse diskimage'? I blew away all my settings (yeah, boo hoo, won't do THAT again) cause the diskimage was roughly the size of the two huge AVI's I just threw away and I wasn't getting my diskspace back after emptying the trashcan.

Name it something like 'Secret Encrypted File' or something...

Re:File Vault (1)

Numeric (22250) | more than 9 years ago | (#10663262)

I used FileVault and I was impressed that I was getting such a huge performance hit on my 600mhz ibook, however, one day I rec'd an odd error regarding FileVault. I cautiously decided to play it safe and turn off FileVault.

Re:File Vault (2, Informative)

dema (103780) | more than 9 years ago | (#10663267)

Happened to my boss less than a month ago. Spent a long time trying to recover of lot of his shit (some very important files) and had no luck. Long sotry short, no one at work uses filt vault now (: Maybe this is something that will improve in Tiger?

Re:File Vault (1, Interesting)

Anonymous Coward | more than 9 years ago | (#10663287)

I had a File Vault eaten when I first installed 10.3 but since some of their updates to it I have been able to use File Vault pretty well when I have tried it. I don't trust it with anything important though so I don't use it on my adminstartor account or on my work account, which is kind of sad. I prefer to use Encrypted DMG files to store stuff I want private but that I only need occasional access to.

Re:File Vault (4, Insightful)

Daengbo (523424) | more than 9 years ago | (#10663587)

I don't trust it with anything important though

Kind of defeats the purpose, doesn't it?

Re:File Vault (0)

Anonymous Coward | more than 9 years ago | (#10664019)

I don't trust it with anything important

Read: I keep pr0n in it, but only the second rate stuff that I plan to delete first when my hdd fills up.

Re:File Vault (4, Informative)

Anonymous Coward | more than 9 years ago | (#10663302)

Many people had problems with it first came out. It was caused by the "recovering space" thing not completing before the user logged in again. I still don't trust Apple's default configuration since there are warnings in their own documentation against using a sparse image, which File Vault does.

I've used this hint [macosxhints.com] for over six months now without problem.

On the other hand, it's trivial to get the user's password from swap, unless Apple fixed this hole already, so there's not much point to File Vault right now.

Re:File Vault (1)

a3217055 (768293) | more than 9 years ago | (#10663467)

what you can get the passwd from swap ?? Can you please explain ?

In other news... (5, Funny)

eventDriven (817686) | more than 9 years ago | (#10663145)

The U.S. Governement's ultra-secret monitoring system 'echelon' was briefly unavailable after the NSA's web servers were Slashdotted.

Re:In other news... (0)

Anonymous Coward | more than 9 years ago | (#10663297)

Woohoo! Now I can finally call my girlfriend in the States and go through our sexy terrorist phone sex routine without all the clicking sounds in the background!

Hey baby, whaddya wearing under that burka? Wanna see my black eyed virgin?

NSA Security Guide (5, Funny)

Anonymous Coward | more than 9 years ago | (#10663166)

Always leave an NSA auto-secure port (9999) open on your machine.

Disregard any unexplained background executables.

Always use IE when surfing.

Confine all discussing of terrorist/anti-government actions to public networks (or private ones, we don't really care)

Slashdotted already? (5, Funny)

BandwidthHog (257320) | more than 9 years ago | (#10663171)

Alright, we've slashdotted the NSA!!!!!

Now we can safely do, umm, whatever it is that we thought we couldn't do safely while the NSA had an active internet connection. Psst, any terrorists out there need a browser with 128-bit SSL enabled?

Re:Slashdotted already? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10663200)

"The American way of life is vastly overrated; vote for Bush."

+1 insightful on your sig

Re:Slashdotted already? Nope. (3, Funny)

Roadkills-R-Us (122219) | more than 9 years ago | (#10663472)

They didn't /. us^H^Hthe NSA.

They /.'d the NSA OS X hacker honeypot. Traffic recording and analysis is proceeding just fine, thank you. As are the webcams. I hope your co-workers don't use that keyboard-- don't you have a handkerchief?

Re:Slashdotted already? (0)

Anonymous Coward | more than 9 years ago | (#10663492)

I doubt the spooks share the same pipe as the NSA's webserver. Assuming they do, GO GO GO OPERATION RED DAWN

Re:Slashdotted already? (1, Flamebait)

drinkypoo (153816) | more than 9 years ago | (#10663718)

Be careful; a teenager in grass valley, CA was recently picked up by the FBI because, when asked on the web if he would like to meet bush, he said yes because he'd like to punch him in the nose.

Welcome to amerika, folks. It's too bad Bushism already means a horrible verbal flub in which you mutilate the American version of English on national TV, or in a press article, because this is awfully similar to McCarthyism.

Screwed up (5, Interesting)

AKAImBatman (238306) | more than 9 years ago | (#10663222)

Yikes! The replies to this story are completely screwed up. I'm starting to feel sorry I ever tried to make a joke [slashdot.org] . I figured others would have something more insightful to say. Well, since no one else will, I'll try to say something insightful.

It seems to me that most OS X users are pretty quiet on the topic because they can't find anything to say. Not because they're ashamed, but more because OS X Just Works(TM). Since the OS Just Works(TM), security guidelines like this are nothing more than hints on how to prevent users from accidentally opening security holes.

Contrast this with Windows, where everyone is always looking for the "magic solution" that will allow them to completely close of the machine from attack. Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly.

Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated. You see, OS X is really the next major release of NeXTSTEPl an OS that pre-dates Microsoft's creation of Windows NT & 95. NeXT got it right back then. Why can't other OS makers get it right today?

Re:Screwed up (2, Funny)

rdc_uk (792215) | more than 9 years ago | (#10663290)

We cannot comment on the report, because we cannot read the report; because we have /.'ed the server.

Oh bitter, bitter irony!

Re:Screwed up (2, Informative)

AKAImBatman (238306) | more than 9 years ago | (#10663341)

You're telling me there are no Mac users (besides myself) that can see The Mysterious Future(TM)? Very well then. Here's a preview of the next article [geektimelinux.com] . SuSE 9.2 is out. There, I said it. Now prepare something insightful to say. :-)

Re:Screwed up (2, Funny)

Otter (3800) | more than 9 years ago | (#10663513)

You're telling me there are no Mac users (besides myself) that can see The Mysterious Future(TM)?

How I am supposed to afford a Mac and a Slashdot subscription?

(Just kidding...please don't start posting Dell comparisons..I know already.)

Re:Screwed up (3, Funny)

baywulf (214371) | more than 9 years ago | (#10663301)

Lex: "It's a UNIX system! I know how to tokening this!"
Yacc: "It's a UNIX system! I know how to parse this!"

Re:Screwed up (2, Insightful)

athanis (241024) | more than 9 years ago | (#10663485)

A lot of users that I come into contact with seem to have a false sense of security. They seem to think that if they have an antivirus software, then their computer would become immune...
But I think more needs to be done to educate the public that security isn't any single software/component, but rather, a process.. From passwords, to firewalls, to antivirus, to spyware, there are many parts to it.

I think it's unfair to blame the OS solely. Application developers need to be aware of bugs and potential problems. No matter how hard you idiot proof a system, they will build a better idiot, as the saying goes.

Re:Screwed up (1)

mobby_6kl (668092) | more than 9 years ago | (#10663493)

>Some might argue that OS X is so secure because the developers had an opportunity to view OSes which came before them. This may seem like a reasonable argument, but quickly falls apart once OS X's heritage is investigated.

I don't know whou would argue like that but yeah, you are probably right, it's not in the heritage, at least not on Apple's side. Still, it's very simple: OSX is so secure becasuse it's based on BSD!

Re:Screwed up (1)

legirons (809082) | more than 9 years ago | (#10663846)

"Yet Windows insists on requiring various services (e.g. RPC) to be running and publicly available before it will run properly."

Hmm...

# nmap localhost

25/tcp open smtp
1024/tcp open kdm
6000/tcp open X11


And that's Debian. Mandrake had about 10 ports open by default, including SUN-RPC and I think it opens NFS and CUPS by default if you choose certain configuration options. Debian also had a whole host of finger, time, echo, etc. ports open by default.

What's worse? That I can't install a firewall without recompiling the kernel.

Counterintuitive... (4, Insightful)

Anonymous Coward | more than 9 years ago | (#10663225)

Since it's a security site, I'd expect it to display a warning and disable the site if you are clueless enough to accept the cookie!

You gotta start with the fundamentals...

Guide for Linux? (2, Interesting)

brandonp (126) | more than 9 years ago | (#10663231)

This is very cool, is there also a Security Guide for Linux? Sounds really helpful.

--
Brandon Petersen
Get Firefox! [spreadfirefox.com]

Re:Guide for Linux? (0)

Anonymous Coward | more than 9 years ago | (#10663488)

/. UID of 126 and he doesn't RTFA. There's been NSA security guides for windows/other linuxes for years.

Security-Enhanced Linux (0)

Anonymous Coward | more than 9 years ago | (#10663655)

Not to mention Security-Enhanced Linux (SELinux), which was started by the NSA.

is there a reason why the NSA won't (0)

Anonymous Coward | more than 9 years ago | (#10663282)

release linux security guides? Do they only help out commercial outfits? Is this some kind of capitalist side effect?

Re:is there a reason why the NSA won't (2, Informative)

jasonbowen (683345) | more than 9 years ago | (#10663404)

I guess you haven't heard of SELinux?

Re:is there a reason why the NSA won't (2, Informative)

psyconaut (228947) | more than 9 years ago | (#10663447)

They did, didn't they? In the form of their own Linux distribution.

http://www.nsa.gov/selinux/

If you read the source and documentation, it's quite clear what they did. Producing a "boiler-plate" security document for all Linux distributions would be futile -- there are too many variables involved.

A commercial product such as OSX is quite a bit more linear, and this easier to release a straightforward guide.

-psy

Keychain Access Gripe (5, Informative)

finkployd (12902) | more than 9 years ago | (#10663288)

I finally found something about OS X that I absolutely hate and is making me question the entire OS. OS X has its own digital certificate/private key cache (which also stores passwords, but that is irrelevant), which is convenient for applications that use certificates and private keys for identity (like safari and mail.app). It also has a nice utility for managing this environment (Keychain Access).

HOWEVER, Apple (for reasons I cannot fathom) has decided to not allow keys and certs to be exported from this cache. This is totally unacceptable and horribly wrong. In this email [apple.com] , which confirms my worst fears, Peter Sagerson says it best:

In Jaguar, private keys are never exportable. This seems kind of silly, since my digital identity should be linked to me, not the platform, the machine or that particular (and transient) installation of the OS. In Panther, Keychain Access has an Export command, but it's never enabled. I don't see a Keychain-level API for key export and the CSSM API doesn't seem to work. So it's hard to tell what the intention is.

The intention seems to be the very incorrect idea that the digital identity belongs to the computer, and not the person. I have figured out how to move my cert and key to another Mac, that is simple creating a new keychain, copying certs to it, and moving the new keychain file to another machine. However, I still cannot get them out of Apple's proprietary format to move them to any non-OSX platform. I have posted this question [apple.com] to Apple's usually helpful discussion forum, but have received no answer.

This is most disturbing and calls into question both Apple's competency with regard to security in general, and their intentions with regard to what the user can do with their own data (or in this case, their own identity)

Re:Keychain Access Gripe (1)

AKAImBatman (238306) | more than 9 years ago | (#10663450)

Am I the only one who thinks that computers should start shipping with a pack of smart cards? You simply create your identity on the card, then it acts as a universal "computer key" for computers you have access to. i.e. One could think of it as a car key for their computer.

Such a design would be pretty transparent to users, and could easily fit in with the way they expect day to day things to work. You can even recommend that they make a backup card at card creation time, so that they can stash it in a safe place (say they lose their original card or something). When the backup card is inserted, the user would be prompted to revoke the old keys and create a new key set.

Re:Keychain Access Gripe (3, Interesting)

finkployd (12902) | more than 9 years ago | (#10663560)

Everyone has USB, why not use this instead of requiring a card reader?

Excellent idea though, I have been in support of that concept for a while. This could be extended to requiring a password to unlock the private key on the card/usb drive or even have a small thumbprint reader on the card/usb drive itself to unlock the key. This would remove my major complaints about biometrics (ie replay attack)

These technologies all exist and would be simple, but people simply do not see the need for them so there is no demand (outside of of some rare government, education, and corporation groups). Unfortunately the average joe is content with a digital world that relies completly on his mother's maiden name for authentication :(

Finkployd

Re:Keychain Access Gripe (1)

AKAImBatman (238306) | more than 9 years ago | (#10663698)

Everyone has USB, why not use this instead of requiring a card reader?

The only reason is that smart cards are cheap. I can pack all the security info I need on a card that costs $1.00 - $5.00 each. In comparison, a USB key has to have a variety of communications electronics that make its minimum price somewhere arounf $15.00 a key.

So it's really a matter of economics. :-)

Re:Keychain Access Gripe (1)

amake (673443) | more than 9 years ago | (#10663508)

I don't know about your specific situation, or much about certificates in general, but I have a Thawte free email certificate that came as a .p12 file. Opening that file in Keychain Access added the cert to my Keychain, but the file still remains, and is perfectly portable (I make use of it every time I have to trash my Firefox profile). Did you not get your cert this way? Did you just not keep the original file? Because if that's the case, that seems more like your fault than anything else. I agree, though, that Apple should allow exporting of Keychain certificates.

Re:Keychain Access Gripe (2, Informative)

MoneyT (548795) | more than 9 years ago | (#10663749)

Well, it's not the best solution, but if you want to move your keychain from one computer to another, just open the Keychains folder in your User library (~/Library)

Keychain itself deisgned to be portable (4, Informative)

daveschroeder (516195) | more than 9 years ago | (#10663840)

Apple is most certainly not tying digital identity to the computer.

Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.

Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.

And finally, rumor has it [appleinsider.com] that Tiger will include much more advanced features for managing, importing, and exporting certificates and CAs.

Re:Keychain Access Gripe (0)

Anonymous Coward | more than 9 years ago | (#10663874)

And if you just want to export the data from the keychain in human readable form, try man security.

THE NEXT STORY ROCKS! (-1, Offtopic)

Staos (700036) | more than 9 years ago | (#10663329)

Posted by michael [slashdot.org] in The Mysterious Future!
from the if-you-love-something-let-it-go dept.
InnerPhalanx [mailto] writes "Today, SuSE 9.2 Professional Edition has been released. SuSE writes: 'It combines a fast, secure operating system and more than 1,000 popular open source applications. It is the first complete Linux package to harness both the improved Linux kernel 2.6 and the recently enhanced GNOME 2.6 and KDE 3.3 user desktop environments. Ideal for Linux enthusiasts and developers, SUSE LINUX Professional 9.2 improves support for mobile users and delivers a host of essential tools.' More information at the SuSE [suse.com] website. The price is $89.95. The update version is $59.95. A live DVD image is also available on the SuSE website, for use by DVD. Have fun, SuSE Pro users!" Reader tannhaus submits an early review [geektimelinux.com] .

Who took down NSA? (0, Redundant)

Anonymous Coward | more than 9 years ago | (#10663379)

Is it too big a leap to claim that Mac OS X users are to blame? Who else would want that PDF?

What about users of other OSes? (2, Informative)

athanis (241024) | more than 9 years ago | (#10663425)

How come the NSA only publishes guidelines for the MacOS? Actually, I think that with the recent onslaught of network vulnerabilities, government organizations would do well to educate the public more about security.

In fact, where I live (Hong Kong), the government had a radio show where there would be a quick tip about securing your machine. Obviously, the focus was on Windoze, but anything that elevates the awareness of the general public to computer security is a good thing.

And in other News..... (3, Funny)

mbrewthx (693182) | more than 9 years ago | (#10663430)

The infamous CowboyNeal was arrested today at his private hovel. The Department of Homelnd Security issued a statement saying that he was the head of a secret conspiracy to disrupt the online functions of the NSA. There was no comment from CowboyNeal or his attorney a Mr. Taco. But he is said to enjoying Steak Tar Tar with his prison mate Martha Stewart. Mr. Neal's activities apparently caused serious lag in the NSA's end of the month CS tournament.

They're... still... up (5, Funny)

twalls (789774) | more than 9 years ago | (#10663533)

Several people have already called the slashdotting. They're still alive and kicking! Gotta give em credit for trying. "Mr. President, we're giving her all we can! She just doesn't have enough bandwidth!" "Well, why not just use one of the other Internets?"

Another excellent OS X security guide (4, Informative)

daveschroeder (516195) | more than 9 years ago | (#10663564)

Corsaire Ltd has an excellent practical OS X security whitepaper [corsaire.com] in this same vein.

Mirror anyone? (1, Redundant)

Swedentom (670978) | more than 9 years ago | (#10663787)

Anyone got a mirror of the security guide? I'm downloading the PDF at 0.3 KB/s. :-)

Pardon Me while I take a NAP while waiting for my (3, Insightful)

sir lox elroy (735636) | more than 9 years ago | (#10663912)

download to complete, DOH it's now stalled. /me wants to call the NSA and ask if they can mail me a printed version of the document it would be faster
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?