Back in February 2007, I wrote that, “I’m more secure on a Mac than I was on Windows XP.” Much has changed since then—in particular, Vista and Leopard were released. Yet much hasn’t changed—I’m still more secure on a Mac. Again, I’ll explain my reasoning.
Again, however, I’ll caveat my statements by saying that I didn’t say that Leopard (that is, version 10.5 of Apple’s OS X) is more secure than Microsoft’s Vista. What I said was that I’m more secure on a Mac, and I truly believe it.
Before I go and re-visit the list of issues that I believe are at the heart of my rationale, let’s take a moment to explore some of the underlying major changes in the two systems versus their predecessors, Windows XP and OS X “Tiger.”
Probably the biggest single change in both systems is a fundamental shift in how they protect users and their data. Previously, the operating systems largely focused their security controls on the data/file entities—for example, a file might be readable to a group, but only read/writable to its owner. In Vista and Leopard, on the other hand, there are now security controls over user and application actions—for example, one application might be allowed to open an outbound network data session, while another is additionally allowed to accept inbound network data sessions.
What’s more, even though both operating systems have relatively rich sets of user account controls for permissions and such, these new controls on user actions happen largely at a user level. In fact, both operating systems seem to me to be moving away from the old school model of having an administrator account for system administrative purposes and user account(s) for day-to-day system usage.
Indeed, ordinary users can, in most cases, install software on the system once they have confirmed to the system that they want to and that they know the administrative password to do so.
This really is a fundamental shift in the usability of both operating systems, and I suspect they did it to make things easier and still (hopefully) adequately secure.
Perhaps it’s just me, but I’m not so convinced this is a step forward. Now, I’ll be the first to admit that the old admin/user model wasn’t functioning well in either operating system previously. But, I’m also convinced that the general end-users have demonstrated historically that they aren’t very good at making this type of security decision.
I’m reminded frequently of the old adage, “give a user the choice between security and dancing pigs, and they’ll go with dancing pigs every single time.” Obviously, this adage is tongue in cheek, but the point hits pretty close to home.
Giving the end users the equivalent of discretionary administrative control is a recipe that is more likely to fail than succeed.
With that out of the way, let’s revisit the list of issues from my XP vs. Tiger comparison.
• Familiarity with security mechanisms. Previously, I said, “One of the things that lured me over to OS X from Windows XP and Linux (but that’s another topic for discussion) is that under OS X’s pretty GUI lies BSD UNIX, for all intents and purposes. I’ve been using UNIX systems since the early 1980s and I’m very comfortable there, right down to understanding the underlying security mechanisms quite thoroughly.”
This statement remains true today in the Leopard vs. Vista realm, without a doubt.
The waters have gotten somewhat muddied, however, with the advent of the more user-oriented security model I describe above. The line between administrative and non-privileged has certainly blurred.
Qualitative score: OS X gets a B- while Windows gets a C-.
• Separation of data and executables.Previously, I’d said, “In my familiar UNIX land, all programs are stored in areas of the file system that were outside of the control of users. Specifically, directories including /bin, /usr/bin, /usr/sbin, /usr/local/bin, and so on are where programs go. Users, on the other hand, login to their own directories, such as /home. Among other things, this has made various administrative tasks like backing up user data, system data, etc., well organized and easy to manage on UNIX systems.”
Here too, the comparison hasn’t substantially changed with Vista and Leopard.
Qualitative score: OS X gets a B+ while Windows gets a D-.
• Privilege management. Now things start to get murkier—and for both operating systems. In comparing Tiger and XP, I wrote, “Pretty much from the start, UNIX has been a multi user system, whereas multi user functionality has been a retrofitted feature in the Windows family. OS X has a root user while modern Windows versions have an Administrator user for doing administrative tasks.”
Now, I’m confident Microsoft and Apple will both claim that their newer privilege models are improvements in usability over previous versions, but I remain unconvinced. I find them to be pretty sloppy and no substitute for proper system administration—which, some will argue, died some 10+ years ago.
I give Leopard an only slightly less bad score than Vista because its application firewalling doesn’t annoy me as much.
Qualitative score: OS X gets a D+ while Windows gets a D-.
• Program management. Previously, I wrote, “Here’s where OS X really shines. Apple has improved on UNIX in this area. Although the standard UNIX utilities are still in /bin, /usr/bin, and such, Apple apps and most third party apps install in /Applications.”
This hasn’t changed much with Leopard and Vista. I still don’t feel I can remove a major application from a Windows system without leaving behind significant residue, be it directly in the file system in the form of remnant DLLs or in a registry hive somewhere that the uninstaller didn’t clean up.
Qualitative score: OS X gets an A while Windows gets a C.
• Access controls. On the topic of access controls and, in particular, default configurations, I previously said, “OS X installs the default desktop user with administrative privileges. This bothered me to my kernel when I first set up my Mac, so I went out of my way to turn that off.” Regarding Windows, I said, “Windows, once again, shows its security-retrofitted roots here. Normal desktop users generally have far too much write-enabled access to a Windows installation, even if they do not have administrative privileges.”
Unfortunately, I don’t see any improvements being made here. If anything, by my score, we’ve stepped backwards due to the new action-focused security desktop mechanisms I described above.
Still, though, I was able to tweak my Leopard installation so that my desktop user is unprivileged and my administrative user has read/write control over applications. But I still find myself sweeping through the system periodically to clean up the default access controls left behind by various application installers that leave /Applications and /Library/Application Support open to world read/write.
This is sloppy at best, and it enables malware to infect and spread with relative impunity. So, I’m downgrading my score for both operating systems.
Qualitative score: OS X gets a C- while Windows gets a D-.
So, all this doesn’t paint a very pretty picture for either operating system, does it?
The only thing that kept Leopard from failing me in several areas is that I’m still able to invoke the UNIX-like attributes of the underlying operating system to enable security the way I want it to be. I’ve not been so fortunate on the Windows systems I’ve used over the years, as I find the privilege and access control mechanisms to be far murkier.
As a result, I remain steadfast in saying that I’m more secure on Apple’s Leopard than I would be on Microsoft’s Vista. But it does seem to me that, with each subsequent release of OS X, I have to spend more and more time tweaking the operating system’s features before I really feel at $HOME.