Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

"Holes in Leopard's firewall"

Oct 31, 2007 12:40AM PDT

Discussion is locked

- Collapse -
Complaining that the firewall is not "on"...
Oct 31, 2007 1:20AM PDT

... seems a bit nit picky to me. If that is to be a major issue, then the article should have also mentioned that the firewall in Panther and Tiger is not "on" when you installed those versions too. I know this to be true because I just did a fresh installation of both OS on a new hard drive and upon checking the firewall just now, found it was not activated.

- Collapse -
As far as I'm concerned, I've never depended on it
Oct 31, 2007 7:53AM PDT

as my home PC connected via router and wire has firewalls on, my router has it's own stuff built in, etc... never needed it for Macs, though I do turn it on just to be safe.
If those people making up all those complaints about the firewalls knew what they were talking about, they'd also know that OS X is 99.9% more secure than Windows, and that there are few to none viruses lurking out in the wild just for Macs. When was the last time your Mac got hacked by a virus, you had to reinstall the OS, and lose all your stuff? Never had that!
Where is the common sense in the world?
-BMF

- Collapse -
Mac OS X is NOT more secure than Windows.
Oct 31, 2007 12:10PM PDT

This just isn't true.

It's the same as the IE vs Firefox issue. It's FALSE.

People are under the illusion that Mac OS X is more secure, because there are currently no viruses in the wild for it. Windows is constantly under attack, because it holds the vast majority of the market - but that doesn't automatically mean it is insecure.

Think of it like this. A big house holding lots of artwork has security cameras, security laser beams to track trespassers, floor sensors, you name it, the whole works. [This is Windows]. There are on average 10 attacks or attempts to get into the building every day by theieves, and this week one attack was successful. Because the "Administrator" has however taken time to properly secure the building, most of those attacks are unsuccessful. I actually have a video documenting security of Windows, such as policies, zone permissions and user control, on my Youtube. Ask if you want a link.

Now take a small house in the country holding nothing but a small painting. There is no civilisation for miles around, and the building only has a small wire fence and a single frontal security camera. This is the Mac. So far this year there have been two attacks; one was partially successful and one failed.

See what I mean? The small house (Mac) is attacked less, whereas the big house with more goods is attacked more. This doesn't automatically mean one is more or less secure than the other.

BMF, you know I am a Mac and a Win user, so you know I'm not biased. But I am stating this as a fact right now, the reason Macs are not targetted is because of their obscurity, and the fact that they are not aimed at corporations. Who wants to bother attacking a machine in someone's home that holds 6-8% of the market, when they can attempt to attack a corporation full of Windows machines?

See what I'm getting at? The Mac firewall is a good thing. Of course you need to close off ports, it's essential. My Windows machine is riddled with permissions and such allowing exactly what I want to do, to be done, and nothing else. I don't use AV, or Firewall (except Windows Firewall), etc, and I have NEVER had a virus attack. Ever.

People need to STOP making false assumptions and learn.

- Collapse -
My assertions are based...
Oct 31, 2007 12:21PM PDT

On these:

CIA (Confidentiality, Integrity, Availability) - http://www.yourwindow.to/information-security/gl_confidentialityintegrityandavailabili.htm

Principle of least privelages (Only granting permissions NEEDED to do a task, and no more, thus limiting the scope of attack) - http://www.google.com/search?hl=en&client=opera&rls=en&hs=EEk&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=principle+of+least+privilege&spell=1

The general gist of the idea is to limit what people are doing and to not automatically treat the machine as trusted. This is often how many security models are flawed. In Mac OS X, you don't have to log on as root, to be or become root. Instant flaw! In Windows, granular security permissions can lock the user right down to the floor, and yet an admin can still administrate the machine if needed. Call me an idiot, but I just don't see such fine-grained options in OS X.

- Collapse -
Sorry, I based that on what I had thought of
Oct 31, 2007 12:45PM PDT

OS X's UNIX core. From what I heard, UNIX is essentially more secure than Windows. Linux has some better security advantages over Windows (at least some servers do) even if Linux is still being adopted by some.

From what I can tell, the Mac system is more secure, but coming from your view, Windows can combat more stuff. Fort vs. heavy artillery inside. Like your previous analogy. Makes sense, but there are now some things out there that will attack OS X, like that new trojan or something. As Mac users grow in number, hackers will find a way. But at least with OS X, you can easily solve any problems that occur. With my many years of Windows usage, I have had my share of problems, not with viruses, but system issues with files and etc. On Macs, I have had similar problems, but they were much easier to troubleshoot and fix.

But you probably know more about this topic than I do. I assumed that OS X is more secure due to the UNIX core, but I also knew there weren't many viruses for Mac. And Macs tend to fix problems easily for me. I've never had to depend on OS X's firewall, which I have mentioned somewhere before, so I do not consider this a big issue (yet).
I understand where you're coming from though.
-BMF

- Collapse -
Oh, I forgot to correct that I meant 99.9% of viruses aren't
Oct 31, 2007 12:51PM PDT

targeted at Macs. That's what it used to say somewhere on Apple. I think... LOL. Oh well. I prefer using Macs than discussing system and security issues or system problems... hardware wise is another story.
Whether Windows is more secure or not doesn't affect me too much. As far as I'm concerned, OS X was the best switch I ever made when it comes to computers. Windows works most of the time for me, but I still have experienced far too many problems with it. I'm quite handy with it though, or so I'd like to believe.

I will always despise some of Windows' problems, though I feel MS itself is good for creating the Xbox. But let's not get into why the 360 is good compared to the other new-gen systems Wink.
-BMF

- Collapse -
to be honest...
Oct 31, 2007 12:53PM PDT

unix has actually more holes than people let on.

While being based on UNIX does bring many advantages to the MAC OS, it brings with it all the ramifications it has, too. However, most Macs nowadays seemed to be targetted via Quicktime, not the Unix flaws. Don't get me to go on about sendmail ...>.<

I love Macs, and I love using them, but really, I'd love to see how well they'd cope if we suddenly gave them the market share of Windows. Want my honest opinion? I think within a week nearly every Mac on the internet would be compromised, Apple would have gone virtually bust, and Cupertino would become all but a ghost town.

Let's just hope and pray that Apple doesn't go for the corporate market...

- Collapse -
Yeah, well they may not see it that way. Until hackers
Oct 31, 2007 1:01PM PDT

make their switch to targeting OS X, Apple will probably not beef up their security. That's my bet. There are a few security programs and stuff out there for them, but I've heard that some are prone to screw everything up. No thanks. Hopefully Apple will figure it out the right way if there is one. They'll tackle the corporate world, mark my words. They tackled the cell phone industry and look how good they did. They've been reaping profits since the iPhone launch, and not to mention they conquered the MP3 market with the iPod. And it all started from a not-so-well-known computer company. Look how they grew in markets no one would have assumed they would have entered before. And since they already have their Macs to sell to businesses, it's only a matter of how they push them in there.
May nothing bad come upon us Apple loyalists... Happy well... way to be optimistic LOL.
-BMF

- Collapse -
Leopard shipped with the Firewall switched off >>>>WHY<<<<<?
Nov 2, 2007 7:37PM PDT

The real question is WHY was the firewall switched off by default?

1 Is apple sending a deliberate invitation / challange to hackers?
or
2 Is apple just guilty of just making a dumb mistake?

Conspiracy vs incompetence?

The saying that springs to mind is "pride comes before a fall"!

- Collapse -
I think because it's sensible.
Nov 2, 2007 9:46PM PDT

I can't speak re: Leopard, Windows XP or Vista. But my 5 month-old Tiger OS gives a choice as to what ports, etc. I want to choose when turning on the firewall.

People I know who run those Windows OSs , which I think come with a built-in firewall, still install a security suite, as I did with my W95 and WMe PCs.

This is easily noticed when setting preferences.

I did buy .Mac, which does come with an AV.

I have also found there is more choice in preferences for the various programs.


Angeline (not a Mac moderator)

- Collapse -
It's just like Linux. Next I'll be reading that
Nov 2, 2007 11:26PM PDT

"All Linux DOOMED!!.

All current distributions ship without the firewall enabled!!!"

-> Windows needed a firewall. The other OSes didn't. But with all the Windows use, those users are now "programmed" to buy firewalls and antivirus suites.

Bob

- Collapse -
Any OS needs a firewall.
Nov 4, 2007 6:53AM PST

And most have some kind of implementation of a firewall. And by firewall I don't mean a "stick it in your face" kind of thing, but any sort of mechanism to block or censor information going in and out of the system.

All or most OSes do need a firewall, and most if not all have one. It forms part of the security model, however many people have do not have fundamental understandings of this.

It doesn't matter how fancy it is either, it all comes down to the basic principles of security. CIA and the principle of least privelages are the two I tend to use in discussions such as this one. If the implementation is secure, if the design is secure, if the architecture is secure, if the XYZ is secure, it is a secure system. If you actually look at government standards, you would find Mac OS X in the most part falls below Windows in terms of security and corporate suitability/reliability.

I've said it up earlier in this thread and I'll say it again: Just because a system has little or no attention from the virus writers does not mean it is secure by design.

^And until people understand this, there will always be people who shout from the top of a hill that OS X is the bees knees. I've had more problems with my OS X iBook than I think I have ever had with Windows. That said, I think my HD is on its way out.

- Collapse -
Prepare to explain why.
Nov 4, 2007 11:16AM PST

First tell me you understand Unix networking since it's why Unix and it's derivatives didn't need such a thing and still don't.

Specifically tell me why inetd is itself a firewall.

Bob

- Collapse -
I wasn't just talking about UNIX networking,
Nov 4, 2007 7:05PM PST

but networking in general. A firewall, or any censoring device (IPSec, in Windows, could be considered a firewall as it effectively allows you to censor ports) forms part of the security model.

And if I must, Inetd is a service manager for UNIX systems. That's all I'll say, because I don't appreciate people trying to spin off the topic when I crash people's theories about Apple being the be-all and end-all.

there is a reason why Apple don't dominate the corporate world...

- Collapse -
Hello Me, Myself and.
Nov 4, 2007 10:09PM PST

Are you prepared to discuss in detail Why? I think you may be overlooking why, until Windows we didn't need firewalls.

Sadly, Windows has "programmed" people to think that such is always needed.

I offer you a chance to pop open the hood on Unix, Linux, Macosx and more to understand why we don't need a firewall.

Tell me when you are ready and we'll open a fresh discussion so you can explain in detail why you think it's needed. I'm ready to explain in detail why it's not.

Bob

- Collapse -
well of course
Nov 4, 2007 10:50PM PST

I'd love to discuss these things.

I don't quite know what you mean about Windows "programming" people to think they need firewalls etc, it's people that essentially program themselves to think this. we can't blame computers for people's idiocy, so why blame them for people being gullable...?

I still stick to my original statement - any OS needs some kind of censoring mechanism (i.e., a firewall) to help keep out unwanted traffic. IPSec on Windows is an example, and allows extremely fine control of what can go in and out of the computer from and to the internet, right down to the socket. You may not call IPsec on Windows a firewall, or whatever on another OS a firewall, but as long as it is part of the security model, and helps keep unwanted visitors out, I consider that a firewall. I think perhaps we are disagreeing on the meaning of firewall here rather than the actual fundamentals. I will not ever deny that Windows has it's problems, and that there are shedfulls of nasties out there, but neither will I walk with the rest of the Apple sheep and preach that it is flawless and doesn't need any kind of security - because it does. What's more, is most people who target Mac OS X these days don't target the UNIX underlings, but instead the upper architecture such as Quicktime. Proof enough that Apple aren't invincible. I've used Windows for long enough as well, to know that most of the errors are down to the users. My Windows machine is incredibly secure, and to settle the argument I'd even challenge someone to break into it. Believe you me, they'd have a tough time.

But sure, open a new thread if you wish and I will contribute what I know. admittedly I know less about UNIX than Windows, but I try to remain truthful and if I don't know something I will look it up.

- Collapse -
I've seen you argue several times now...
Nov 3, 2007 3:51AM PDT

... that the biggest fact that protects apple is their limited market share. I agree that a big target encourages more people to go after it than a small target does. However, I feel that you overlook one significant thing that makes Microsoft OS an easier target than apple (BSD based) OSX. That is the simple fact that Microsoft machines to this very day... still run self executing files, where as OSX does not and never has. I liken MS exe files to going away on vacation and locking your door, but leaving a note saying anyone who needs to get in can simply find the key under the door mat. No denying that there are still ways of getting into the apple OS but it does not have this single glaring security fault that exe files present to MS machines.

cheers

grim

- Collapse -
Permissions
Nov 3, 2007 6:29AM PDT

It's all about Permissions.

Take away EXE files' permissions to launch as they please and you can pretty much plug that one up.

My Windows system doesn't do anything without my say-so, and this proves it's possible and also that a lot of problems these days are PEBKAC.

still, I enjoy starting up my Mac OS X and not even having to worry about those security issues offhand.

- Collapse -
And don't forget that security all comes back to the user's
Nov 3, 2007 8:08AM PDT

choices. If you run Mac OS X, for the time being, you may not need a firewall, even if you use a router with a built-in firewall or etc. Windows has it's own firewall too, and for me, I've had to switch it on and off on multiple occasions to configure my internet settings and whatnot. But the user has to decide if he or she wants a locked up machine that requires a login window for every command (which I prefer and recommend) or if they leave it open and think that they won't get viruses. Which is safer? Apple isn't responsible for the firewall or for viruses hacking into their machines. They don't leave it on probably due to their small market share, which everyone has discussed, but it isn't their job to do so. Windows lets you know when the firewall is on and off, but that's because it needs it. OS X doesn't rely on it too much (yet, as the groups of Mac users are still growing into large numbers).

People are picking on Leopard's "firewall holes" since they can barely find anything worth criticizing. How can it have a hole just because it doesn't come with it already set? That's ridiculous. If anything, Leopard should be picked on for its requirements, not Time Machine or anything else.
-BMF

- Collapse -
All or most.
Nov 4, 2007 7:00AM PST

I think you should pick on my iBook.

It's being a ***. I think the hard drive is on its road to failure. Sometimes the pitch changes and it makes clicky sounds. Time to entertain your idea of flash memory? Yes please.

- Collapse -
Think on the bright side! Your iBook WANTS
Nov 4, 2007 10:35AM PST

some flash drives, which will have better speeds, lives, and storage for it. Make your iBook happy since it's asking you nicely (or not). LOL. Don't say it was my idea, I just read about it and gave you a link. That would be a form of plagiarism :-O. Don't forget the reduced noises too.
And with flash drives, you get secure data storage or something like that...

What bothers me is why do some people make fun of Leopard? A firewall being off is usually a default for every system, and you just have to configure it to your specs like any other machine (hint, Windows and older Macs were the same way). At least Apple hasn't issued a downgrade to Tiger like MS did, nor did they extend Tiger's death like XP. Well... XP is probably one of the best MS OS-es I have used/use, and maybe 2000 was up there too. Vista goes down compared to Leopard. And because some critics couldn't find anything particularly wrong with Leopard, they pick on the firewall which works fine and Time Machine which does what it's supposed to, backup stuff for you. Doesn't have to be elegant or super cool to watch does it?

What else?... Oh yeah, I can't remember where I may have posted this earlier, but some tests show that Windows runs faster and better on a MBP compared to other Windows laptops. How's Leopard sounding now? Boot Camp and its companions in the forms of VMWare, Parallels, and Crossover are going to set a standard someday. Soon, dual-boot will refer more to Windows + OS X instead of Linux or Classic OS 9.

Apple sets standards.
-BMF