Incredible statement
I was talking with a friend who works in a large segmented organization, where administration is done ad-hoc in each segment with some infrastructure that covers the entire organization. They were having issues with one of the systems administrators after an outbreak of some virii in the administrators area. After having dealt with the issues in some highly non-professional manners, the administrator came up with the following:
“We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems.” [1]
The number of things that are so wrong about this statement are astounding. The fact that the people for whom the adminstrator maintains systems for bought this line is even more astounding.
Let’s break this down on where the security problems exist, and how this proposed solution helps with them.
If it’s the fact that the Mac traditionally used Motorola processors instead Intel based processors and that’s why they don’t have security problems, then by going with Mac Mini’s isn’t going to help since they’re Intel based machines (otherwise it would be pretty difficult to do what we’re going to look at next, run Windows on them).
If it’s the fact that Windows has a number of vulnerabilities, especially if it’s not properly maintained and protected with firewalls then changing the operating system would be an acceptable alteration. But we’re not, we’re going to load Windows onto the Mac Minis.
The reason that the Macs currently are less of a security risk is that there are fewer exploits and known vulnerabilities out there for Mac OS X (and previous versions of MacOS as well). Personally, I expect that to slowly change as Mac OS X gains in popularity. But in this instance, that’s not the method we’re choosing to make these systems more secure.
So we’re left with the best security method I’ve heard of: A different case! By affixing an Apple logo onto the host, we’ve made it more secure, because Macs aren’t subject to the same security problems.
– decaf out
[1] Unfortunately while this quote is as close as I can get to the spirit of what was said, it may not be accurate as I didn’t hear the person say it.
UPDATE: Since this has been linked to by a couple places now I thought I’d add a quick note to clarify. It’s not the entire organization that is making this change, just one small (but important) group out of the entire organization. Probably less than 1% of the people and hosts that exist in the organization.
October 23rd, 2006 at 15:38
[...] (updated: direct link to the original story at deadbeat cafe) [...]
October 26th, 2006 at 5:26
Man, I thought I’d heard everything before, but this one takes the cake! I’ve been in the tech support field with the Feds for ten years, and I’ve used and fixed Macs for longer than that. So I’ve heard and seen a lot of crap over the years, on both sides of the platform divide.
But to hear of a sysadmin that can actually take that position…methinks he’d be better off in another line of work. Certainly his employer would!
June 6th, 2007 at 10:52
I agree that using Minis to run Windows is bad idea. But this person has (probably inadvertently) suggested something that many security experts think is a _very good_ idea — to run Windows more securely by using virtualization. The host OS could as easily be Windows or Linux as a Mac.
There is also no evidence for your explanation of the security of OS X — The use of Intel Macs, and Macs overall, has increased substantially over the past few years, and yet there are still no successful OS-level exploits in the wild.
July 13th, 2007 at 22:18
2007-07-13 21:39:40
Bob,
Anyone that both terms themselves a ’security expert’ and suggests virtualization as a panacea for solving system security issues has definitely oversold their skillset. Of the security professionals I know, each and everyone of them understand that virtualization _may_ abstract some problems, but you still have a system running that someone can break into, and is likely trying to break into right now. (Okay, I’m a little more paranoid than most people, I admit it.)
However, in this particular case, virtualization wasn’t even the suggested solution to the security problem.
But this does remind me of two things I was thinking of blathering about, a Reasonable Paranoia, and why security people like virtualization (and it’s not because it increases security).