Aron,
I concur. I have not gone the OS X route primarily because of the
decreased security in OS X with security patches over OS 8.x and 9.x native
without patches. I'm now faced with obsoleting hardware, and will have to
move forward to something, but security is no longer such a major factor in
selection from my perspective, so the Mac architecture is less appealing
than it was, and I likely will change architectures given other factors.
..rap
At 10:30 AM 6/23/2004 -0700, Aron Roberts wrote:
>Hi Craig,
>
>At 01:34 -0700 2004-06-23, Craig Lant wrote:
>>As to the idea that "no network-accessible vulnerabilities requiring
>>patches are likely" for <such and such>, so we should give a blanket
>>exception to <such and such>, I don't see that as valid.
>
> That's not what I was advocating; my apologies for any ambiguities in
> my wording of my previous messages that lead you to believe that.
>
> The first item in the policy section of the campus minimum security
> standards implies - at least to me - that any software for which vendors
> have stopped providing patches cannot run on the campus network.
>
> If that is indeed what that item means, this would prevent users from
> running - Mac OS 8.x and 9.x - and compel them to upgrade to Mac OS X,
> another Unix-based OS, Linux, or Windows XP. That would likely be
> counterproductive from a network security standpoint, to put it bluntly.
>
> There may be many good reasons to try to migrate users of Mac OS 8 and
> 9 to newer OSes, but compelling them to do so in the name of network
> security is not one of these.
>
> (Here's a simple question: in the years since the founding of IST-SNS,
> how many times has SNS had called to its attention a security issue
> affecting a host running Mac OS 8 or 9?) :-)
>
> Now I understand that the first item in the implementation section of
> the standards appears to qualify the corresponding item in the
> policy. Based on the implementation section's wording, it may instead be
> the case that only hosts with unpatched security vulnerabilities may see
> enforcement action, rather than hosts for which patches are no longer
> available from their OS vendors. Moreover, various comments that you, as
> well as others participating in the setting and enforcement of these
> standards, have made in various campus user group mailing lists, would
> seem to confirm this.
>
> For this reason, it might be good to clarify this: would the standards
> -- as interpreted by you and other authors and enforcers today -- prevent
> users from running Mac OS 8 and 9 on and after May 1, 2005 ... assuming
> that no new significant security vulnerabilities are found in that OS
> between then and now?
>
>Aron Roberts
>Workstation Software Support Group
>
>--
>
>Mac OS 8 and 9 are arguably much more secure than any of the other current
>OSes in reasonably widespread use on campus, at least from the perspective
>of network attacks and risks posed to other hosts on the campus network
>and beyond. (At the console, these OSes are basically wide open, which
>may or may not be cause for concern, vis a vis the minimum security standards.)
>
> In these operating systems, 'out of the box':
>
> - No network ports are open.
>
> - Few if any interesting services are offered, and none are
> enabled by default.
>
> - No systemwide command processor is available.
>
> For instance, Mac OS 8 and 9 offer no command shells and no
> cross-platform scripting languages such as Perl.
>
> AppleScript, a systemwide scripting language, could be used in
> exploits, but such exploits would need to be specific to the Mac OS
> (limiting their scope) and would typically rely on social engineering
> for execution under Mac OS 8 and 9; there are few if any programmatic
> means of getting AppleScript scripts to run automatically.
>
> - Very few viruses or worms, most of these ancient, with
> an extremely low rate of infection in recent years.
>
>and, most notably:
>
> - A long operating history with:
>
> o Few reported vulnerabilities, generally minor in impact.
>
> o A nearly clean slate regarding the hosting and spread of
> malicious code with impacts on other hosts on the network.
>
> o Few network-accessible vulnerabilities identified.
>
> As one example, in sharp contrast with IIS and, to a lesser
> extent, Apache, the truly minimal Web Server bundled with
> Mac OS 9 has had no security vulnerabilities identified.
>
> In contrast, we all know the checkered security history of Windows XP
> and other Windows OSes, and to a lesser degree, of a number of Linux and
> Unix OSes. In addition, Mac OS X, over its relatively brief history, has
> had significantly more - and more serious - security vulnerabilities than
> Mac OS 8 and 9.
>
>
>------------------------------------------------------------------------
>The following was automatically added to this message by the list server:
>
>For information about Micronet, including subscribing to
>or unsubscribing from its mailing list and finding out
>about upcoming meetings, please visit the Micronet Web site:
><http://micronet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Wed Jun 23 10:54:25 2004
This archive was generated by hypermail 2.1.8 : Wed Jun 23 2004 - 10:54:25 PDT