The Washington Post says Parallels is bad...

It allows you to drag an attachment icon from Outlook to the Mac tool bar to open a spreadsheet in Excel for Mac, for example, or to drag an image from Safari to Photoshop in Windows. Without it you can only drag and drop files between environments.

 

Yes, I agree and wasn't really SUGGESTING the approval dialogue from my experience. That aspect was offered "tongue in cheek" to keep the FUNDAMENTAL suggestion in parallel, so to speak, with the other suggestions concerning dangers attendant upon interoperability.

FWIW, Shared Networking as the default would go a fair way to improving the overall situation vis-a-vis the network-based attack possibilities. As you and I have both pointed out, however, it is the TOTAL solution that is important, not just one of another particular setting within Parallels. And this is where a familiarity with the Windows environment is important -- along with a familiarity with the solutions available THERE.

Again, this is my experience FWIW and I appreciate the reasoned, calm and courteous discussions of those options. THAT kind of discussion is very definitely a valuable contribution, regarldess of what Parallels or other such interoperability platforms decide to implement.

 

Not all users have the same requirements. I need to be able to turn Windows malware loose in a sandbox to see what it does. Therefore, I NEED TOTAL isolation of the guest from the host and cannot live without it. For this application (one of several, some of which have more relaxed requirements) I can use Parallels only if total isolation is provided as promised on the home page when I bought it.

I would like drag and drop, but opening a tunnel for malware is much too high a price to pay for it.

There should be no access whatsoever between guest and host without a specific operator request (preferably in the form of a drag and drop mouse operation). Any program access to the host initiated by the guest is unacceptable.

I don't need the overhead of guessing whether a specific virus or trojan will or will not exploit a specific hole. I need a complete lack of holes so I can concentrate on my job.

 

For my buck, that pretty much describes what I think should be the default install when you're done installing Windows or any other OS in a VM, bud.

 

Then turn off GFS and use Shared Networking.

 

This is also what I would expect. In fact, there is precident for it. Take a look at the default install of Mac OS. The _only_ service that is turned ON by default that listens on a port is mDNS. That service is simple enough that it can be completely bug-free with a minimum of hassle.

If you want SMB filesharing, you have to turn it on. If you want to run FTP, again you have to turn it on. You want to share a printer? Gotta hunt down the option. The network card is set to not join unknown networks without asking, and the bluetooth is set to invisable mode, by default. The only thing I can think of to lock down a Mac more then the default configuration would be to add a hardware firewall and maybe make it not respond to ping.

I'm used to software that is "secure by default, more usable by options". This is normal for Mac.

It is usually Windows software (I donno about Vista yet...) that is "open by default, lockable by option".

Please, Parallels stick with the Mac way...

 

There are three areas I can think of where the Mac is not as secure as it should be by default.
1. The inbound firewall is by default turned off. If you're behind a hardware firewall this might be ok, but if you're directly attached to the internet, its better to have it on. Many people don't know Mac OS X has a firewall built in (just turned off by default).
2. There is no outbound firewall. I'd like to know what programs are phoning home so that you can spot spyware. LIttle snitch seems to be the standard application for this.
3. The first userid is by default created as an administrator. There are insufficient warnings around this. Mac OS X runs great from a userid without administrator privilege. As a rule folks should not normally use the userid which is the administrator.

I certainly agree with your point, Parallels should not make Mac OS X less secure than it is. Parallels opening up a giant hole for an insecure operating system rampant with viruses and spyware to access the entire Mac OS X drive read/write is a really bad move.

 

The inbound firewall has nothing to protect by default. There is absolutely zero benefit to turning it on unless you're running a server that needs to be protected and doesn't run bound to localhost, and isn't allowed through the default firewall by default. Unless you're installing third party servers and you don't want them to serve anything and they're not secure-by-default, you don't need it.

In my 20 years as a UNIX and Windows system administrator I've yet to see an exploit caught by an outbound firewall, including ZoneAlarm. I've seen outboiund firewalls cause so many false positives, thought, that if they DID catch an exploit on my watch the user probably ignored the warning.

But not in the sense of an "Administrator" account on Windows or a superuser account on UNIX.

Here's a few things I think Apple needs to change to make it more secure by default.

* Remove the "open safe files" option from Safari, along with the use of unsafe helpers like installers.
* Reduce the number of directories writable by members of "wheel" or "admin".
* Stop opening plugins from setuid applications. Do this at the toolkit level.
* Split "LaunchServices" up into separate databases - one for browsers to use with untrusted documents ("Webservices") and one for Finder and other apps to use for local files.
* Require an administrator password to get into the single-user shell.
* Make Rendezvous and Bluetooth based on location.
* Associate locations both ways with SSIDs and DHCP leases, so you automatically switch to an 'untrusted' location on an unknown network.

 

"Real" firewalls do help protect against icmp traffic, syn-flood/syn-ack attacks, port scans, and suspicous connection attempts. I don't know how effective OS X would be in thwarting these kinds of things - I have a separate system for dealing with this at the perimeter. A consequence is it also protects traveling users that stop by to visit and who are allowed to use my wap.

 

I've been hit by the virus or spyware twice and both times the outbound firewall caught it. In the virus case, it was mining passwords and sending them along. I would never have known it was installed without the outbound firewall.
I also generally don't like many applications phoning home just for kicks.

 

I've been lurking on this topic for some time now, and would like to make a couple of quick points.

First, to drval: In regards to the comment that the default value for global sharing should be disabled: In the software development arena, this is Standard Operating Procedure, at least among responsible developers. Any *optional* feature which *could* compromise system security should be disabled by default. Period. End of story. It should also be clearly stated, if only for CYA purposes from Parallels' standpoint, that enabling this feature *could* expose sensitive information to malware/etc.

I would HOPE that when the final release of this version of Parallels goes gold, the process of upgrading VMs to the latest release would not blindly enable global sharing; if nothing else, it should ask the user whether or not they wanted to enable the feature, and provide a friendly warning.

Second, to DKP: several of your posts had led me to believe that global sharing provided WRITE access to root and below, regardless of permissions. This is simply not the case - as another application running in user space, it has the same permissions as the user running the application. I have seen you clarify this in subsequent posts (and admittedly have not read all of your posts on this topic), but I think that it erodes your position when you are not clear on this point.

In general, I agree with DKP on this one; I run Windows in Parallels so that my system is isolated and protected from Windows and the software that runs on it. It's sandboxed. Global Sharing/drag and drop are useless features to me, and IMHO should have been disabled by default.

The sad truth about Windows security problems, especially in regards to viruses, is that they are *almost* entirely preventable. Most users run with an account with administrative privileges; in fact, if you just do a point-and-click install of Windows, this is what you end up with. If people ran under a non-administrative user account, the system would not be quite so easy to infect. Oh, and if people stopped running binary email attachments. And ran anti-virus software. And... Oh, forget it. Run Linux, OS X, or another *NIX-based OS which considers security a primary concern, not an afterthought.

 

The mount point is what is read/write in Windows (vs read-only) and as you correctly understand, the Unix file system permissions control the specific access. What I said is true enough, but not the entire story. It is an awkward thing to describe in a few words and I did struggle with a way to describe it without becoming tongue tied. It didn't occur to me early on that people would think Parallels gave them root privileges as well as access to the root level of the Mac drive, and I think the age-old overloading of 'root' was a problem, too. Your point is well taken and I've modified the way I describe it now.

 

dkp: Hope I didn't come across as bashing there, it wasn't my intention. I had an "oh, cr*p, you've gotta be kidding me" moment when I read your first post on the topic.

Funny, in my opinion this whole argument would be moot if Parallels just had this feature disabled by default. The exception I take with this feature, and I'm sure that most users would agree, is that it was *silently* enabled, at least in the beta. Hopefully the production release will not do this by default.

And before anyone flames me on my last post, specifically the Standard Operating Procedure quote, let me be the first to state that this is MY OPINION. This is certainly the case in the dev teams that I lead, and in the teams that I have been lucky enough to be a part of in the last nine years. Developers need not be security experts to be security aware. Perhaps this is a side-effect of coming up through the UNIX side of development rather than starting with DOS/Windows; In my twenty-odd years of professional development, I've met far more windows developers who are oblivious to security issues than *NIX developers with that problem.

 

I'm pretty familiar with what firewalls can do. When I set up our first internet connection at the office, about all you had to go on was Cheswick and Bellovin's papers, and an early version of Marcus Ranum's toolkit. I wrote most of my own proxies in the end, since I needed slightly different policies than fwtk could manage.

Or (as has happened on ocasion) it could be a target for them. If you're going to have code in the kernel to handle flood attacks, for example, why not handle them in the stack itself so you're protected for the services you're leaving open as well... and in fact if OSX is using a recent FreeBSD stack it's doing that.

You don't use a packet filter to watch for port scans and suspicious connection attempts, you use a scanner like snort.

And I eventually turned off klaxon and stripped down my snort rules to exclude EVERY attack I already knew about (and had blocked) because when you're getting probes from dozens of unique IP addresses every minute you're better off working on the prevention side.

So you might have been hit by any number of other viruses or spyware that used a less suspicious approach to communicate with the outside world, like (say) piggybacking on a browser or using MAPI. They don't even have to make a connection to the outside world, they can get the information out by tagged DNS lookups... heck, you can even tunnel IP through some proxy firewalls using DNS.

The bottom line is that security is like sex, once you're penetrated you're ****ed. Completely removing potential attacks is much more productive than blocking attacks you shouldn't be exposed to, detecting attacks that can't effect you, or finding out that you've been infected. If you're running Windows there's not much alternative to concentrating on cleanup efforts, but OS X is still worth taking the prevention approach for.

Seconded!

 

In fact that was a problem for a long time with a Sol 8 based firewall system I ran. It just seemed to be too easy to take out.

Yep - a firewall is a suite of tools - packet filter, NAT, AV scanners, proxies, IDS, etc. Old news to many of us, certainly.

A realization I had with Snort was that it was telling me the obvious - those patterns exist because those attempts exist, and sooner or later you're going to see them all. Best to just harden your system against every significant Snort pattern and stop looking for them - it's just a waste of cycles. I reduced theinstalled patterns to new stuff as it would turn up, and if they weren't a threat, out they'd go, too. Snort is pretty quick if it's running lean but it will talk your ear off otherwise.

 

Nope - not at all. I've done a lot of writing over the years and sometimes you get caught in a logical fork like this and have to go back and re-state what you thought was the clearest of thoughts.

It was a lot of posts ago but that was my original desire, too. It became increasingly necessary to expand on the why of it. It even began to bore me but the point seemed important to defend, particularly against such unenlightened opposition. It has been my feeling from the beginning of this debate that the more you know and understand about the problem the less likely you are to accept it.

 

Actually an interesting aspect of this is that, when I raised (again) the idea of the acceptability of GFS being AVAILABLE but OFF by default, the resounding response from some quarters was: "NO! That's not acceptable. It has to just be GONE." That was pretty striking.

The other reason that this was important IMO to keep alive -- besides my different perspective on the default (and the reason for the default) -- I thought too much attention was being placed on GFS (which is a clearly unique feature/implementation of Parallels) without clear discussion of the real, omnipresent issues of interoperability with Windows. This emerged during the discussion of Shared Networking as opposed to other modes.

But, let's be clear. Some want a completel closed box, for a number of reasons. Others want clear, unobstructed interoperability, again for a number of reasons. Perhaps this means two (or more) versions of Parallels once the RCx becomes GA.

Or, perhaps, it just refocusses the issues back to: what is the main product?

My sense is that the real market for Parallels is users of Windows who want to migrate to Mac. That group definitely wants transparent interoperability and they already know about the dangers, pitfalls, problems, challenges -- in short the joys -- of computing in the Windows world.

Again IMO the issue isnt' a single setting of a single parameter -- and that's important to remember.

 

Val - you have again ignored the important responsibility Parallels has to inform the public about the consequences of the defaults. That failure is a very big failure of policy and it chaffes the nature of trust customers can put into the company. The fact that this is the default is a signal that they have accepted convenience over safety and that won't fly with this crowd.

That aside it absolutely is my preference that this kind of hack not be in the final product, but if it must, I prefer it be disabled. The Fusion product suggests it is not required, but then it's also in beta and possibly they haven't implemented it yet. That is not a call to remove the functionality - only the method.

It may be too that EMC holds the patent for the only safe way to have system and application associations established between the OS and VM's. But they could at least talk to us about it. You know damn well they're talking about it in Seattle. They're going to have to respond to Brian Krebs' article as a minimum. If they wait long enough they'll have to deal with Kim Kommando and Steve Gibson, too. Then there's the very real threat this thread will deplete all their storage

 

Please don't try to tell me what I have and haven't done. Not only is it bad netiquette, you've also gotten it wrong when you've tried.

I have specifically posted about how Parallels should -- and I hope will -- include warnings in their documentation with the release. This is beta/RC code we're discussing here.

But it appears that you may be minimizing, if not ignoring, the very real desire of many WIndows users to have such interoperability be as easy to use and implement as possible.

This "debate" reflects the juxtaposition of two (at least!) different orientations in the world of computing and that's a part of the issue that makes it difficult to even have the discussions. This is because features that some users want, others see as inherently dangerous, etc.

I would also point out that, at this point, it isn't really clear what GFS actually does and what it will -- or won't -- do in the next RC, let alone the GA. Some have reported that drag and drop is not affected by turning off GFS. So, is it needed? Does it do something specifically different when OFF or ON? Is that migrating as they refine the function? What are the implications of that migration, if it's happening?

We really need to hear from Parallels as they continue with their work.

But, regardless of what they decide, there will be users who will celebrate their choices and users that castigate those same choices. I will point out again that, despite all of the problems, dangers, whatever, Windows remains dominant. Moreover, we're seeing a lot of effort to bring Windows TO the Mac platform, but no real effort of taking Mac TO Windows. There are reasons for that IMO and minimally the reality of those reasons need to also be borne in mind.

 

Your post was a summary, Val, and you left out a significant element. One that has created a great deal of interest, I might add. Bringing it to your attention is hardly a breach of netiquette. And will you please stop your feeble attempts to shepherd the conversation. It is not yours to guide.

The inconvenient truth is you did not in this latest summary. Oversight or manipulation?

Nonsense - please read again where I declare for the zillionth time for you alone that I am not against the functionality, only the method they use to achieve it.

You are continuing to play word games, Val. Others don't "...see as inherently dangerous". It bloody well is inherently dangerous and that is established fact.

It is spelled out in the documentation, Val, for all to read. The global share is there to ensure content from an OS X application can be dropped into a Windows application seemlessly. A map, for example, from Streets and Trips could be dropped into the Mac previewer, or a Mac NeoOffice spread sheet can be dragged to Windows Excel.

I think just said they have not been talking to us about this. Are you plagarizing, too?