Mac OS X Maximum Security

honestpuck writes "Security has long been a concern for Unix administrators who find themselves connected to the sometimes dark and dirty world of the Internet. With the advent of personal operating systems with file sharing, remote login and built-in web servers, and the spread of broadband networks with their always-on connectivity, it should now be a concern for everyone." Specifically, honestpuck is talking here about Mac OS X; read on for his review of Sams Publishing's Mac OS X Maximum Security.

Mac OS X Maximum Security
author	John Ray and William C Ray
pages	768
publisher	Sams
rating	7
reviewer	Tony Williams
ISBN	0672323818
summary	Comprehensive but sometimes long winded book that covers securit on your Mac well

It really didn't concern me until one day when I was checking the logs on my Mac OS X box while developing a web app and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server. I then decided I needed to pay attention to security alerts and the help of a book like Macintosh OS X Maximum Security to help me understand and fix any holes.

The Good

The book is divided into four sections. Part 1 is about learning to think about security, covering such topics as physical security and protection from your users and bad guys. Part II, 'Vulnerabilities and Exposures,' covers the various sorts of attack such as password attacks, trojans and worms, sniffers and spoofing. Part III, 'Specific Mac OS X Resources and How To Secure Them,' covers just that, the various servers such as FTP, mail, Apache and SSH and how to go about making them safe. The final part covers attack prevention, detection, reaction and recovery with topics such as firewalls, alarm systems, logs and disaster planning.

Macintosh OS X Maximum Security is a large, extremely comprehensive volume. For the average person who wants to protect a small home network the information it provides is probably overkill. To make matters worse, the style is fairly verbose, particularly in the first section. Of course, if you want to secure a company network then you may need to know all the information -- and so all this background material is useful, if only so you can reach the right level of paranoia and suspicion.

The book is not a 'recipe' book that tells you "take these steps and you will have a secure machine"; rather it takes you through the possible holes and how to fix them. This approach seems much better for security, since it teaches you a respect for the places you have to open up and a methodical approach to doing so that will hopefully carry over beyond the specifics addressed. Any recipe is bound to have flaws since the operating system and the services are all changing, I'm hoping the methods and style this book have imparted to me will last beyond any changes.

The book also deals well with all the Macintosh-specific stuff, informing you well about such topics as Rendezvous, Apple Remote Desktop, using NetInfo and the like. One aspect that isn't well covered is Airport; securing an 802.11 network is barely touched on.

The Bad

The information provided in all areas of the book is quite detailed, and includes many links to further places to look for more (and more recent) information. Once again, for a book in an ever-changing field like security, this is a huge benefit. I would have appreciated some sort of a small website devoted to the book with the links mentioned gathered together and perhaps some notes on how things may have changed since the book's publication. Unfortunately the Sams Publishing site has a broken link to the book and while the authors say "we are creating a security section for the www.macosxunleashed.com website," no such section exists as I was writing this review. Frankly I am disappointed at this, I think with a book on this sort of topic it behooves either the publisher or author to provide a place for errata, discussion and notes. The best you can do is go to Amazon where you can see the Table of Contents and one chapter. [Ed. Note: The site's errata section is currently up and running.]

My only real complaint with the book itself is the huge size, and the long-winded nature of some of the material. I found the first two sections in particular almost tedious and definitely lecturing in tone. I would have rated this book higher if the editors at Sams had taken a large red pencil to slabs of the first section. Overall, I'd say that while not a 'must buy,' this book will have to do till I find something better, and I expect to loan my copy to several friends.

---

You can purchase Mac OS X Maximum Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Re:How secure can it be if it's PROPRIETARY?

[Knife_Edge]

Looking under the hood, it gets worse. While all other *nixes use standard ELF binaries, Darwin (Apple's name for their proprietary "Unix" kernel) does not. It uses Mach-O, an unproven format that is proprietary to Apple. The moribund FreeBSD, off which OS X is based, uses ELF, so clearly Apple went to the extra effort of "switching" (heh) simply to break compatibility. Additionally, Apple has moved most configuration info from human readable text files into a proprietary database called "NetInfo", which is much like the Windows registry we all loathe. Why? These are only a few of the ways that Apple has deliberately broken compatibility with other systems, presumably in order to lock users in to expensive Mac hardware.

Sure, this guy is a troll. But these are legitimate criticisms, with at least a grain of truth to them anyway. I especially hate the poorly documented NetInfo, and I'd like to add that it is impossible to cross-compile with OS X as a target, due mostly to their unconventional binary format. Very trollish tone, I'll admit, but we should all remember that OS X is set up as a closed system from many perspectives. I recall another fellow who was moderated as a troll for criticizing the iTunes music store as being evidence of Jobs desire to turn the computer into a digital shopping mall.

And I suppose the rebuttal is that hey, Apple is a company, and their goal is to make money, so all this is ok. Well, unfortunately I do not regard 'making money any way you can' as the highest and noblest pursuit of humanity. If Microsoft is any evidence, maybe the problem in the software industry is that being nice does not work to make money. Still, I am less than pleased with Apple taking exclusionary steps towards the freedom of their users. I like the way Aqua looks, and I have no problem with it, but NetInfo? What is the purpose of NetInfo? It certainly isn't an improvement, and actually has some fairly serious security problems, in that any user with shell access can view the entire database with nidump, including passwords of any other user.

As for the binary formats and cross-compilation issues, Apple's attitude is that if you want to develop for OS X, better have an OS X system! I think their business is being hurt a lot by being built around the need to sell their proprietary hardware.

Re:OS X: off to a pretty good start

[EnVisiCrypt]

Windows 98 is vulnerable to the overflow condition that Blaster exploits as well, not just 2K.

Virii? Bring 'em on!

[Anonymous Coward]

I recall, late-98 or so, when a fairly adequate Mac virus actually surfaced. We were thrilled! What more proof did you need that Apple was back, than a virus attempting to take it down?

Meanwhile, the rest of you can stop with this "juicy target" stuff. There is, have never been, ANY OS more susceptible to virii than Win.

Back in the 8.5-9.x days, I used to spread my IP address all over Usenet, in hopes someone would bring down my computer, so I could learn something from the genius.

Now, I won't quite do THAT, but have little worries about putting an OS X box behind a Linkys router (helps deflect almost everything by itself).

If only my nights were not so clogged fixing all the neighbors' pathetic 98/2000 and XP boxes. I can't drink anywhere NEAR the volume of free beer I accumulate!

Re:A shame

[sammaffei]

Actually the real reason Apple is not selling OS X on x86 (and Apple does in fact have this) is THEY SELL HARDWARE!!!

Why kill your hardware sales buy selling your OS on a cheaper platform?

OS X on x86 is a failsafe hardware manufacturing exit strategy. Nothing more.

Re:Use OS9 for secure server NOT OSX! Its 100% sec

[sqlrob]

2> No Root user. All mac developers know their code is always running at root. Not hing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

And all 98 developers know their code runs as root. Has that helped?

Re:Question

[JediJeeper]

Agreed with the other comments offered already. Apple has really taken the initiative on security and met things pretty squarely. Out of the box it is quite secure, almost everything is locked down via the built in tools. Incidentally, I speak from the experience of being Sys-Admin of many Solaris, Windows and Linux boxes. Most of the things Apple has had to deal with actually derive from security holes that have sprung up in third party products such as Apache and PHP (which are really quite solid products). There was recently a security vulnerability with a password buffer overflow on the GUI login screen, but that hack required physical access to the box, and as we all know physical access IS ACCESS, period.

In my opinion they, Apple, have put forth a considerable amount of effort to avoid the black eyes that a certain Redmond-based company has been prone to, mainly because any significant stumbles could spell certain doom for an OS that only enjoys 5 percent of the overall desktop market.

Anyway, thats my two cents worth on it. Blast away!

Re:Security is a Myth.

[repetty]

"It's not that Macs are immune to attack, it's just that there are far less people writing exploits to attack Mac systems."

I sure wish I had a better memory... Last spring, a study was published on this exact claim.

Turns out that even when volume weighting adjustments are considered, Macs ARE more secure than Windows (as was Unix/Linux).

It's time to put this myth to bed.

--Richard

Helpful book idea

[tinypillar]

I'm not going to get into all the 'what is secure and what is not secure' back and forth posted earlier. The reason I think the idea of a MacOS X security book is a good idea, is mostly due to the number of OS 9 users that are upgrading to X. Some of these users have never used a unix environment, and have never really needed to know anything about securing their computers (with 9). At least with a title like this on the shelf, it will bring to their attention that hey, even though you use a Mac, you still need to be aware of how to secure it. Anything to help educate others on security, I can only see as a good thing.