[Ti] Understanding security threats(was Re: Intel Mac Mini?)

Lists lists at tntluoma.com
Wed Mar 1 22:36:11 PST 2006 

On Mar 2, 2006, at 12:29 AM, Don wrote:

> I have been following this thread and must admit I don't understand  
> most of it. As a total non-geek who uses the computer mainly for  
> web surfing, emailing, iTunes/ITMS, MS Office and occasionally  
> Filemaker, can someone tell me how I could be hurt by the OS X  
> security leaks?

Basically the thrust is this:

Whenever a browser tries to do something "automatically" for you "for  
convenience" you risk losing some security.

	- This is true for Windows, where Microsoft designed it to be  
essentially possible for a website to do whatever it wanted to  
through Internet Explorer

	- This is true, to a far lesser extent, with Mac OS X, if you use  
Safari, and if you leave the 'Open Safe Files Automatically After  
Download' option checked

The recent exploit basically pretended to be "safe" but really  
weren't, so Safari could be fooled into opening them.

You can safeguard yourself to a great extent by turning off that  
option in Safari, or by using Opera or Firefox instead.

Chris, on the other hand, claims secret knowledge of another exploit  
that he doesn't want to share too many details about.  He says this  
is because he doesn't want it too widely known.

Some people see this as evidence of Mac OS X's insecurity.

Others remain skeptical because he refuses to be open with his  
evidence, apparently only selectively sharing it with others he hand- 
selects.

Chris has very little interest in other people's opinions of him,  
which some people admire and some people don't, and makes some people  
like him and some people not.

Thus we are left to decide for ourselves whether we want to take the  
word of one individual as to whether or not there are "serious"  
problems with Mac OS X.  He has decided to keep this information in  
his own control, and therefore rob the community of the ability to  
judge for themselves.  He calls this safeguarding the community.   
Others see it as a way to get attention.  Someone suggested a piece  
of software which could solve the problem.  Chris' response was "Do  
you really want to be running a bunch of programs to protect yourself  
against malware?"

One could infer that since he did not say that the software would not  
solve the problem, it will solve it, but he has a personal moral  
objection to anti-malware software and therefore prefers that your  
system be insecure and that Apple be pressured to fix it.  Hard to  
know how we can pressure to fix an exploit we don't know about  
because the people who do have it won't say anything about it.  Then  
again it really might not be that serious.  Again, there's no way for  
us to know, because he is keeping this information he claims to have  
to himself, despite the fact that if there was more public knowledge  
and awareness of the issue, more people could put pressure on Apple  
to fix it.

He could very well be right.  He could very well be full of it.   
There's really no way to know unless you are one of the chosen few he  
deems worthy to receive his insight and information.

I have no doubt that there are remaining security holes.  What I have  
no way to judge is how severe they are and what (if anything) I can  
do (regardless of how Chris feels about the solution).  Personally I  
thought that lists like this were a place where people came together  
to help one another, not to say "Well I know something you don't know  
which puts you at risk but I'm not going to tell you what it is."

But if that's the way he wants to play, then that's what he'll do.   
Meanwhile I'll do the things that I believe safeguard me, including  
running regular backups.

More information about the Titanium mailing list