About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

It's Dèjá Vu All Over Again

Week of 24 February, 2006

It's dèjá vu all over again.
 - Yogi Berra

5 May 2000: a red letter day. Since then the connected world hasn't been the same. Two students in Manila crafted a trojan run from a script sent to Microsoft's Outlook mail client which in short order wreaked destruction for billions of dollars.

The scripting feature had never been used - not by anyone. Still, it was there and not turned off. The students in Manila found it.

Certainly there had been those who objected to Microsoft's way of writing code before that date, but there was no way anyone could deny something was very wrong after it.

The Love Bug worm encountered no resistance whatsoever. As soon as it started to execute, it owned the entire machine. A standalone system with no internal defence barriers as found in 'real' operating systems, Windows capitulated immediately and ingloriously.

Microsoft's initial reaction - their public statement in the midst of the chaos that ensued - was 'don't open attachments'. Security experts across the planet were up in arms. Perhaps ordinary users hadn't seen the portent of putting an unsafe standalone system on the Internet with that kind of scripting functionality, but Microsoft surely did. Mark Joseph Edwards laid the blame for the five and one half billion dollars of damage squarely at the feet of Bill Gates.

It would take almost two years before Bill Gates came forward with his now infamous 'apology' where he expressed his regret that his software had caused so much pain and misery. As we know today, the occasion was carefully chosen, as the speech was little more than a ramp into his current obsession with 'digital rights management'.

And six years down the line Microsoft Windows remains the same insecure, totally unsafe standalone system it was on 5 May 2000. The only difference is the hype level has grown. With a basic architecture Microsoft are not going to abandon, Windows is doomed.

13 February 2006 started the countdown for Apple Computer. Recognised for having one of the most user friendly and secure operating systems on the planet, ghosts long known to haunt Apple's OS X came back with a vengeance. In less than a week three exploits made themselves known, the one worse than the last.

Experts saw a direct relationship with what happened to Microsoft six years ago. The Love Bug fooled people into double-clicking attachments but the icon displayed was the wrong one; still people opened the attachments and ruined their computers. In Apple's case, the icon was not wrong, making it even more difficult for users to smell something fishy going on.

You can't have flotsam and jetsam from the standalone days hanging about.

In Microsoft's case a relatively unknown scripting feature was put to bad use; in Apple's case it was otherwise long forgotten 'beige box' functionality spooking again: a feature of Apple computers since the Macintosh of 1984, the 'shell' could disguise any file as something it wasn't. In the connected world this is simply a 'no-no'. You can't have flotsam and jetsam from the standalone days hanging about.

Apple's OS X is a direct descendant of Steve Jobs' NeXTSTEP which in turn is a type of Smalltalk GUI layer on top of FreeBSD Unix. As such it is just as impervious to attacks as any other 'Unix' out there.

But that wasn't good enough for Apple. Over a period of over five years the Cupertino corporation missed marketing chance after marketing chance, watching Microsoft release Windows 98, Windows 98SE, Windows 2000, Windows Me, and Windows XP - their entire product line since 1997 - while they struggled to weave old standalone 'beige box' functionality into the pristine faultless design of NeXTSTEP.

They've already paid dearly for missing all those marketing opportunities; as for the indiscretions in taking a secure system and ruining it with standalone features - they're paying for it now.

As long as Apple stubbornly insist on keeping the 'beige box' inside OS X, there will be trouble - and lots of it.

OS X is still miles more secure than Windows will ever be, but an exploit is an exploit, and the type of exploit demonstrated this past week for OS X is deadly - one is all that's needed. The current wave of attacks have been relatively harmless - about fifty computers [sic] worldwide have been affected.

But that's not the point and the security experts know it. The exploits seen this week are a portent of what is to come. They point to serious security holes in the made-over design of NeXTSTEP and FreeBSD that today is OS X. And they point as they must to the fact that any system architectural compromise is certain to sooner or later end in catastrophe. Several further shoes are going to drop, as further exploits are found in the wild, poking at the same holes in the OS X perimeter.

Apple are most likely in denial just as Microsoft have been for the past six years. Convinced they've been doing the right thing all along just as Microsoft are, they will continue to implement 'ad hoc' fixes to what essentially cannot be fixed without a complete system overhaul and total mindset reversal. As long as Apple stubbornly insist on keeping the 'beige box' inside OS X, there will be trouble - and lots of it. The day they ditch that idea for good is the day Apple's OS X is just as good as any other Unix on the planet - 'as safe as it gets'.

But don't hold your breath. As Richard Forno said of Microsoft, it isn't a matter of going through the motions of improving security because one has so much egg on face - it's a question of setting the priorities right once and for all.

Microsoft can't do it - they have too many important vested interests in the status quo - and Apple won't be able to do it either.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.