Nickname: Steve

Review: While checking for vulnerabilities in OS X is a good excercise for Web servers, the better security test would be to check for holes when the Mac is sitting on someone's desk: visiting potentially damaging Web sites, reading e-mail with viruses attached to them, etc. It is in this environment that if holes are found, the public would think twice about buying a Mac vs a PC.

Date reviewed: Mar 10, 2006 5:38 PM

Nickname: Jeri

Review: If Apple were to create a security czar, I would want the position. It would be the easiest $200,000+ I ever made because all I would have to do is sit on my butt and do nothing!

Date reviewed: Mar 10, 2006 5:17 PM

Nickname: Der passant

Review: The second potentially major Mac security incident in as many weeks has thankfully been debunked. Or was it just bad reporting and no story at all?

Date reviewed: Mar 10, 2006 11:44 AM

Nickname: Nick67

Review: It is only a matter of time before a zero-day exploit of OS X is found. There is money to be made by spam/spyware botnet operators. Heck the exploit may alraedy exist, and they are just waiting for Macs to gain 7%, 8%, 10% market share before springing it. Script kiddies were annoying, but now it is organized crime that writes viruses and hacks. As soon as there is money to be made hacking OS X, it'll get done. And woe to its complacent users!

Date reviewed: Mar 10, 2006 7:07 AM

Nickname: VidKid

Review: And what you carefully avoid mentioning, Dominique, is that unlike Windows, the majority of OS X exposures are fixed by Apple "before" they are seen in the wild. Of those "hundreds" of OS X vulnerabilities, precious few impacted a purchaser of Apple products.

Date reviewed: Mar 10, 2006 2:44 AM

Nickname: John C. Randolph

Review: I think that what Bud was trying to get across in his very low-key way, was that naming a "CSO" is the kind of thing that an MBA would do, not something an engineer who actually understands security issues would do. How many times has Microsoft proclaimed its "commitment to security," for example?

Date reviewed: Mar 9, 2006 10:29 PM

Nickname: Aram Fingal

Review: It's a difficult thing to promote security as one of the advantages of OS X because you get accused of being a zealot with a false sense of security. Microsoft apologists claim that low market share is the only reason for the Mac's relative lack of actively exploited flaws. I think that's only partly true. There are a number of reasons that the Mac OS really is more secure and it is a valid point to bring that up as a reason to get a Mac. The best thing that could happen for security, in general, would be for the computer industry to become a real oligopoly. Then there would be strong competition driving the development of security features. Microsoft only remained complacent on security issues as long as they did because of their monopoly power. They didn't have to worry about losing market share until things got really really bad.

Date reviewed: Mar 9, 2006 10:28 PM

Nickname: RalphM

Review: I would like to apply as the CSO for Apple. What a cush job that would be. After all, he would have been busy for about one week in the past two years. I could move my office to the golf course and take 10 strokes off my game.

Date reviewed: Mar 9, 2006 9:58 PM

Nickname: shralpmeister

Review: I don't believe media FUD undermined users' confidence in Microsoft. I believe it was having their Windows systems passively infected with viruses, adware, and spyware.

Date reviewed: Mar 9, 2006 9:32 PM

Nickname: Dominique Brezinski

Review: I am a daily Mac user and security researcher with over a decade of experience. Arik makes great points in the article. However, I would like to point out that OS X does not have a perfect security record. A quick search at www.osvdb.org lists a couple hundred OS X and related Apple software security issues. In fact, OS X has had vulnerabilities in standard BSD Unix utilities that were fixed in Free/NetBSD five+ years ago. I love my Macs, but I don't for a minute believe they are secure computing environments. OS X has no core OS level defenses against buffer overflow exploitation (such as non-executable stacks, heap control structure integrity checking, separation of writeable and executable memory regions, etc.) nor semantic containment technologies such as AppArmor (Suse), SELinux, GrSecurity, or systrace (Net/OpenBSD). The reason there are not exploits for OS X coming out daily is not because the vulnerabilities are not there, but rather because not many people are looking.

Date reviewed: Mar 9, 2006 7:50 PM