Last May, I wrote a column warning that OS X represented a new era of safety concerns for Apple aficionados (see BW Online, 5/1/01, "For Mac Users, the End of Innocence"). As they switched from the relatively obscure OS 9 operating system to the OS X system based on Unix -- which hackers know far more about -- Mac users would have to double their efforts to protect their computers. And Apple would have to start treating security with the same seriousness that other Unix providers give it.

Nine months have passed, and a new version of OS X has come out. So the time seems ripe to revisit the issue of security. I'm happy to report that Apple has made considerable progress. It has created a support team for responding to security questions or complaints, plus a mailing list for customers who want to keep abreast of the issue. It has set up a toll-free number for reporting incidents. It's easy to find Apple's security site on the Web. Heck, OS X security was even the topic of a speech at Macworld in mid-January, something that would have been unlikely a few years ago.

In the nitty-gritty area of delivering software patches to fix newly reported security holes, Apple has moved quickly -- in just days. That's fast compared with the response of many other software suppliers, who often struggle to get a patch out in a month. The company also filled a bunch of security holes with its most recent update of OS X. On all these points, hats off to the Apple folks.

LOSING THE NEWBIES. Its security engineers also deserve a toast for their wise decision to ship OS X with most of the advanced Unix communications services turned off by default (something I failed to mention in my earlier article. Forgive me, Macheads). "Every other [UNIX] operating system goes out with a lot of the ports open," says Ken Bereskin, director of marketing for Mac operating systems, referring to the holes through which data travels. "What happens is, people who want a secure environment have to go back and turn off parts of the system." A locked down configuration prevents less-savvy Mac users from unwittingly exposing their machines to ne'er do wells cruising the Internet.

All these protections notwithstanding, improvements can be made, of course. The majority of Apple's iMac customers aren't serious geeks, so a little extra handholding and education would be in order. An example is Apple's Web page devoted to security. It does a fine job of telling pros how to report bugs but a lousy job of telling newbies how to secure their Macs. Aside from a list of the Unix capabilities that are turned off, Apple gives customers little information on what trouble they might stumble into.

Those dangers aren't trivial. Many Unix features, such as those that enable remote access, are fairly easy to turn on by mistake via Apple's graphical user interfaces (GUIs).

GRAVE OVERSIGHT. Which brings us to the operating system's firewall. Apple has incorporated a solid barrier in OS X to keep intruders out of its kernel, or core software. Trouble is, you need to go into something called "command line mode" to configure the firewall and make it useful. Yes, you heard right. An Apple application that lacks a GUI. "It's buried in the Unix core. They could very easily expose that in a nice simple interface," says Alan Oppenheimer, co-author of Internet Security for Your Macintosh: A Guide for the Rest of Us ($19.99, Peachpit Press).

Worse, Apple ships OS X with the firewall turned off. Considering how many customers likely will take their iMacs out of the box and plug them directly into a broadband connection -- which is easy to do -- this seems to me to be a grave oversight. Two third-party shareware GUIs, called BrickHouse and FireWalk, can make configuring and managing the OS X firewall easier. Apple does provide links to them from its site, but they aren't that easy to find (here's the link for BrickHouse, and here's FireWalk). Further, many Macheads dislike the idea of doing technical noodling on their machines -- including installing shareware. "Most Mac users won't download shareware," says Oppenheimer. "Macs are used mainly by people who don't want to have to do that stuff."

Another point that Apple should perhaps reconsider is the scheduling of software updates. OS X has a nifty feature that automatically checks for patches and any other code changes at weekly intervals. Trouble is, if a security hole shows up in Internet Explorer for Mac, for instance, Apple shouldn't leave its customers exposed for what could be a dangerous seven days. Developing the flexibility to do emergency updates shouldn't be hard to do.

POWER-USER TRICKS. Much more difficult will be making fixes to some basic flaws in the core Unix software. Take the password function. For many Unix applications, OS X accepts only eight characters. That isn't good enough for the truly paranoid, who prefer longer key strings that are harder for hackers to crack. There are ways to customize Macs to minimize this problem, but only power users know how.

Apple says it takes security seriously and is dedicating significant resources to responding to problems and to engineering fixes or preventive measures. Officials decline to discuss their security strategy in detail, but insiders say the company has focused more money and people on the effort since the launch of OS X. "Security is of topmost importance to us," says Brian Croll, the senior director in charge of software product marketing for Apple.

The steps Apple has taken so far show that it is committed to making OS X impregnable. If Apple can quickly remedy its remaining shortcomings -- and muster a little more TLC for the average Mac user -- it'll be hard to fault its security efforts. By Alex Salkever