• United States



Apples and Oranges: Leopard Bucks the Trends and Opts for the Counter-Intuitive

Nov 12, 20074 mins
Data and Information Security

I am no different from most of the Apple fan boys out there.  I looked forward to some serious Leopard sweetness for quite some time and tasted it late last week.  I am happy to say that Leopard delivers again with regard to usability and overall coolness.  Unfortunately, despite my initial giddiness at a shiny new Apple toy, it ain’t all roses and rainbows in the cult of Mac.   Apple has struggled for years to break into the business market.  Outside of the creative disciplines, Apple has failed miserably.  On one front Apple has an advantage if they are willing to capitalize on it.  That advantage is with security.  It was my hope that with Leopard that Apple could finally really leverage OS X’s inherent security features and make inroads into the corporate desktop.  My recent installation of Leopard tells me that Apple isn’t serious about going in this direction.  A couple of key items really set me off with my new Leopard installation. 

Being a security geek, the first thing that flipped my switch was that the firewall was turned off by default.  Why in this day of the kiddie scripter, bot nets, and internet bad guys would any developer turn their firewall off by default.  In my mind this completely counter intuitive to the Apple mantra that the OS X platform is the safest platform out there.  Even the folks over at Microsoft turn on the firewall in Vista and XP without user intervention.  Sure you can turn it on yourself, but again Apple has for some time touted itself as a plug and play platform.  Even the physical design of the iMac speaks to this with its one wire design.  If Apple intends to sell itself as a simple to setup platform and be taken seriously by security folks like myself, then turning off the firewall is absolutely the wrong thing to do.  I sort of think of Apple’s design theory as a shoe with Velcro straps.  It’s designed so that a 3 year old can use it.  Using this highly complex design theory, we can relate this firewall issue to a Velcro strapped shoe with no sole.  Sure, you can use it, but it offers little protection.  And if you do want to turn on the firewall or add the sole as in the case of our shoe analogy, you’ll need to dig through system preferences to the “Sharing” (again counter intuitive) console to turn on the firewall. 

…join me as I steer off topic for a brief rant…

In yet another asinine move, why put the firewall in the sharing console?  The security minded may be able to figure out the rationale here, but your average Joe that Apple markets to certainly won’t think to look here to adjust firewall settings.  After all the premise of a firewall is to PREVENT sharing. 

… back on track now…

A second snafu on Apple’s part is that Time Machine won’t back up my File-Vault encrypted profile.  What lunacy is this?  Because my data is encrypted it shouldn’t be backed up?  Why not encrypt the backup as well?  It can’t be a technical hurdle.  Both applications, File Vault and Time Machine are Apple proprietary so I don’t see why they can’t make the two work together. That is like saying you can’t get your left foot and right foot to work together.  Sure you can hop on one foot to get where you are going, but it’s a hell of a lot easier to walk.  Apple is tripping over its own feet on this issue and really needs to reconsider the delicate balance between security and usability.   

All in all, Leopard is an improvement over OS X 10.4, but no major strides have been made to bake security into the platform.  Until Apple figures out what the rest of the world discovered years ago, I can’t see Apple cracking the corporate markets in a significant way.  I think that the only saving grace for Apple right now is Microsoft and the dreaded Windows Vista in all it’s glorious suckiness.

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.