It’s about time someone realized what we in the Mac Internet community have been saying for years. Even better, that someone is the U.S. Army. Here’s the story. It seems that on 28-Jun-99, an intruder gained illegal access to the home page of the U.S. Army and modified its contents. Organizations like the Army hate that, and on 30-Aug-99, FBI agents arrested a 19-year-old Wisconsin man for "malicious altering to a U.S. Army Web page" in connection with the incident.
The compelling aspect of this story is that as a result of the break-in, the U.S. Army has switched the machines that serve the Army’s home page from Windows NT-based PCs to Power Macintosh G3s running WebSTAR from StarNine Technologies. Christopher Unger, Web site administrator for the Army Home Page, didn’t reveal the specifics of what was done to the page, how it was done, or what the Army planned to do to prevent further intrusions, but he did say that the Army had "moved its Web sites to a more secure platform," basing the choice of the Mac OS over Windows NT on information from the W3C (World Wide Web Consortium). Using Netcraft’s "What’s that site running?" utility, I was able to verify that the Army’s main Web server is now running WebSTAR 4.0 on the Mac OS. However, other less-obvious Army Web servers linked from the main Army home page generally run either Netscape Enterprise on Solaris or Microsoft IIS on Windows NT.
There’s no telling if the Army will move its secondary servers to the Mac OS to prevent them from being cracked as well, but the W3C does compliment the security of the Mac OS in its WWW Security FAQ, saying "The safest Web site is a bare-bones Macintosh running a bare-bones Web server." In information specific to WebSTAR, the W3C notes:
"As far as the security of the WebSTAR server itself goes, there is reason to think that WebSTAR is more secure than its Unix and Windows counterparts. Because the Macintosh does not have a command shell, and because it does not allow remote logins, it is reasonable to expect that the Mac is inherently more secure than the other platforms. In fact this expectation has been borne out so far: no specific security problems are known in either WebSTAR or its shareware ancestor MacHTTP."
This logic also applies to other Web servers for the Mac OS, such as Quid Pro Quo, AppleShare IP’s built-in Web server, NetPresenz, and even Personal Web Sharing.
Old News — Of course, this information isn’t news to the Macintosh Internet community, where the security of the Mac OS and Macintosh Web servers has long been known. In "Macintosh Web Security Challenge Results" in TidBITS-317, Chris Kilbourn outlined the approaches used by would-be-crackers looking to take home a $10,000 prize. Then, in "The Crack A Mac Story" in TidBITS-378, Joakim Jardenberg and Christine Pamp talked about the success of the first Crack A Mac challenge. Geoff Duncan look at the motivations behind a glut of subsequent Mac OS security challenges in "The Mac Security Challenge Fad" in TidBITS-385. And finally, we reported briefly on the successful cracking of the second Crack A Mac challenge, a far more complex setup that was compromised via a long-since patched security hole (See "Cracked!" in TidBITS-393).
What’s also old news is Apple’s lack of support for the Mac OS as an operating system suitable for use with Internet servers. Since the Apple Internet Server Solution bundles disappeared years ago, Apple has barely acknowledged the reality of running Internet servers on the Mac OS, despite the many happy Mac users relying on Mac OS-based Internet servers. Even now, servers from Apple run Mac OS X Server, which is essentially Unix. There’s nothing wrong with Unix-based Internet servers, and for very high-volume sites, they’re essential. Even the performance arguments brought up against Macintosh Web servers are essentially moot now, with WebSTAR and Tenon Intersystems’ WebTen providing far more performance than most Web sites require. For the vast majority of Web sites, email servers, and FTP servers, the Mac OS and commonly available Mac OS software provide a familiar, easy-to-use solution without the fuss or security issues of Unix or Windows NT.
Looking forward, it’s almost inconceivable that Apple would once again put forth the Mac OS as a serious Internet server platform. Companies seldom recant a technical stance, and more important, with Mac OS X in the works, Apple doesn’t want to do anything that will reduce Mac OS X’s impact. But it remains to be seen how secure Mac OS X will be when exposed to the Internet’s crackers. With the power and flexibility of Unix at its base, Mac OS X will certainly be attractive to many classes of users – let’s hope that crackers aren’t among them.