When asked about which platform was safer this is what he had to say:
. Why do we care what this guy has to say? Well, for starters he was awarded a $10,000 prize for gaining shell access to a Macbook Pro at the CanSecWest security conference just over a week ago.<br />
<span id=)
I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies.
But fear not because Dino had some advice for Mac users to help keep things a bit more safe on your rig:
I recommend that Mac users make their primary user a non-admin account, use a separate keychain for important passwords, and store sensitive documents in a separate encrypted disk image. I think these are fairly straightforward steps that many users can take to better protect their sensitive information on their computer.
You know what would be fun? Betting Dino his brand new Macbook on the following:
He runs Vista the same way I run OS X for the next 60 days. Everyday use, no anti-virus, no anti-malware. We then measure combined losses for each of us in:
Productivity
Response
Replacement
And see who wins. And just to note, I’ll be hotdesking it, so I’m sure my exposure will be significant.
It sounds like he’s only talking about the NEW code in vista being more secure.
“It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code.”
so the newly written code is more secure
too bad it’s still using way too much of the old crappy bloated windows code
For those who don’t know what the SDL is all about:
Basically, Microsoft declared a bunch of standard C library calls were deprecated. Things like strcpy, sprintf, and so on. Thus new Microsoft code does the right thing and uses the safer alternatives.
http://msdn2.microsoft.com/en-us/library/bb288454.aspx
What the guy seems to be missing is that Apple effectively did exactly the same thing. For example, Cocoa applications don’t use strcpy or sprintf; in fact, they don’t use C strings at all. Instead they use NSString and its methods.
In addition, the fact that these deprecated functions are a bad thing isn’t exactly a secret. It has been common knowledge to any C programmer for years. There are tools to audit old code for the dangerous calls; open source tools, even.
So basically, the claim is: this stuff that Microsoft’s doing, that everyone else does too, will make Vista more secure than OS X.
I don’t buy it.
I actually like the new Microsoft operating system, it’s one of the three things they’ve done quite well recently; Xbox 360 and Zune included.
And how exactly did “security researcher Dino Dai Zovi” determine the “code quality” of both Vista and Mac OS X? Must be cool to not only have access to the source code for both platforms, but to also have the time and skill set to identify and analyze all of the security-related code.
What a load of bumf. I doubt very much that Mr. Zovi actually said that. From what little I could find out about him, he seems to know enough about computing and security to have not said a ridiculous blanket statement like that.
I believe this is all relative, OSX never had the market penetration that XP/Vista had, hence not as big of a target for your everyday hacker. Saying one is better then the other (security wise) just doesn’t hold any water no matter what angle you take… based on this guys test, he found Vista better but another person with different criteria may find the opposite to be true. Either way… OSs are far more secure today then DOS/System 6 days – and for that, I am glad.
Jon
Jon, had you ever even HEARD of Zovi before he cracked a Mac (after he FAILED to do so on the original test and they made it easier)? Nobody had heard of him and now he is well know.
The same would be true of any hacker who actually got into Macs in the real world.
Your argument of “security through obscurity” has long been disproved and it also just doesn’t make any sense. The fact remains that there are tens of thousands of pieces of malware infecting Windows-based computers in the wild and there are NO pieces of malware infecting OS X in the wild (unless you count “clippy” as being malware).
Don, my comment wasn’t squarely in the “security through obscurity” field, that is bogus, I am with you on that.
I really don’t care who says what and how, the point being that the test results and the environment the OS is subject to can be modified (like statistics) to express your personal goals or ambitions (consciously or subconsciously).
Anyways, this was fun, the sun is coming up so that is my Q to go to bed…
Jon