Fog Creek Software
Discussion Board




making a Mac more secure

I have the firewall enabled on my Windows XP PC, and I keep up to date with Windows Critical Updates and updates for Norton Internet Security. Before updating my PC with the latest Windows updates, I back up the registry.

What's the equivalent for a Mac running OS X? My brother has a Mac, and I want to make sure his PC is similarly protected.

Brother of a Mac user
Saturday, October 25, 2003

You can lock down the ports on OS X. Open up "System Preferences", select the "Sharing" icon in the "Internet & Network" category. There you go - configure the firewall, open and close access to the ports you want.

With regards to virus protection. The majority of viruses are written for Windows operating systems. The simple fact he's using OS X makes him less vunerable. While I don't run any virus protection software on my machine, I'm sure there is something available.

Walter Rumsby
Saturday, October 25, 2003

For virus protection, you might want to try Virex from McAffee. It even comes with .MAC, should you sign up for that. (I did, since I wanted Virex and the backup tool anyways)

As for network security, you might also want to add "Little Snitch". It watches for /outgoing/ traffic - a nifty tool to stop spyware from ever reporting home.

Robert Blum
Saturday, October 25, 2003

Software Updateshould be sceduled to run weekly.  If he's extra cocerned he can run as a non-admin user.  Make sure he hasn't enabled root in NetInfo Manager.

Turn the firewall on and only open the ports you need.  There's no system registry to back up, but the home directory should be kept backed up, and the /library folder should get backed up every once in a while (System too if you have a firewire drive or something large enough).  That will keep the system completely restorable if there's a massive crash.

All user centric data is in the home folder, so keep that backed up and you'll be fine.

Lou
Saturday, October 25, 2003

Keep up with security updates, from a terminal type
netstat -an | grep LISTEN, now turn off as much as you can that is listening, then go a remote host a portscan the machine. Turn off as many  services as possible, justify each open one. This isn't any type of sure way to keep secure, but it's a good start, if it isn't listening, the service is hard to exploit.

fw
Sunday, October 26, 2003

It's worth noting that Virex doesn't look for Mac OS X viruses -- there are none. Rather, it's sole function is to prevent you from spreading Windows and Mac OS ("Classic") viruses in email or within files.

Marko Karppinen
Sunday, October 26, 2003

Being a Mac fan (but not fanatic) I'd like to point out a few things:

"You can lock down the ports on OS X. Open up "System Preferences", select the "Sharing" icon in the "Internet & Network" category."

OS X ships with all ports off by default. (What a concept!) Firewall is off, too, and turning it on is not a bad idea.

Re: viruses: fun article here:
http://www.macobserver.com/editorial/2003/08/29.1.shtml
Basically, out of ~70,000 viruses, 579 are for Macs, all but 26 of those are Word & Excel macro viruses, and none are for OS X.

Software Update should not be set to run automatically. Apple isn't perfect and the last big one--10.2.8--caused some major problems, including disabling Ethernet on many G4s. Keep an eye on a site like macslash.com and read what early updaters have to say after the updates. If it's OK after a few days, go ahead and run it.

It makes no difference if he enables root in NetInfo. Root exists whether you go to netInfo or not. All NI does is give it a password so you can 'su -' directly to root. If you don't believe me, say `sudo -s` or `sudo su` followed by `whoami`. `sudo su -` will even land you in root's home directory, /private/var/root.

To back up things like /System and /Library, you'll need something like an external firewire hard drive (with OS X installed so you can boot to it) with Carbon Copy Cloner. I haven't tried, but I doubt you can just drag the System folder to another drive, and booting to an OS X install CD does not drop you to a Mac OS desktop like system 7-9 CDs did.

brian
Sunday, October 26, 2003

"The majority of viruses are written for Windows operating systems. The simple fact he's using OS X makes him less vunerable."

I'd say it makes him more vulnerable, since his system type will have been less battle tested, but statistically less of a target.
Depending on the type of business he runs, this will be better or worse for him in the sort term. If he has speciffic assets that might be the target of a pinpoint intrusion operation, he's probably worse of choosing something less tried. If he is only concerned about being collateral in broad sweep attacks, he's probably better off since he is very unlikely to be a target due to the small percentage deployment of the system.

Just me (Sir to you)
Monday, October 27, 2003

"I'd say it makes him more vulnerable, since his system type will have been less battle tested, but statistically less of a target."

Wow, this is brilliant reasoning.  "Use the system that is constantly being exploited, with a huge community of crackers writing easy to use cracking code updated daily, that has fundamental flaws in it's very design making it insecure, which has dumb defaults making it less secure, because the system with NONE of these traits is less 'battle tested'".

Um, the army that gets trounced every time they go into battle is not "battle tested".  They're France.

And for what it's worth, Walt Mossberg says getting a Mac is a big step in making your system more secure, just in and of itself.

http://www.magatopia.com/columns/Walter_S_Mossberg_-_Personal_Technology.html?page=computer.html

Jim Rankin
Monday, October 27, 2003

"I'd say it makes him more vulnerable, since his system type will have been less battle tested"

Uh... Mac OS X is based on BSD Unix, which last time I checked had been around longer than Windows and was running Yahoo!.

Walter Rumsby
Monday, October 27, 2003

*  Recent Topics

*  Fog Creek Home