Slashdot Mirror
Apple Cites Open Source Core Security
ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"
With the skin peeled off the Apple, and the raw core exposed, it's easy to remove the rotten bits. Getting rid of the rotten bits is good, as it reduce the number of worms.
He who laughs last is stuck in a time dilation bubble.
They're a (relatively) big company. Big companies are supposed to be evil, yet they do lots of Good Stuff(tm) like supporting and using OSS.
This is what Apple's always done that's kept them around... their products are dirt simple, yet really powerful in hands that know how to put them to work.
In the words of a motivational book-on-tape foisted on me recently, it's not enough to have satisfied customers, you need to create raving fans. I bought my first Apple (Pbook G4 1.25) in May, and I've been raving about it ever since. mmm.... iMac...
I'd like to point out that Steve Jobs Did not say this.
The fundamental difference? When Jobs says something is cool, it's cool. When random execs at Apple say something's cool it means nothing.
At least, that's the way it seems to work...
--
Especially considering how just a few days ago Steve Jobs was saying in an interview here. [alwayson-network.com] how they were trying to not be blatant about trumpeting this advantage to avoid becoming a target for viruses and other security breaches.
Although, if Steve Jobs points that out in an interview, then how low-profile can it really be?
Or it could be that the institutions with money (i.e. something to hack for) are running IIS or other commercial web servers as opposed to the home websites running freeware like Apache. And others are probably spoofing Apache to throw hackers off the scent, so Netcraft numbers.
I mean seriously - if something is important to you, do you just turn it in w/o someone else giving it the once over? My wife reads every talk I give and vise-versa. WE ALWAYS catch mistakes that the other person has made.
It's a no-brainer.
..........FULL STOP.
Does anyone else hear their ears ringing (even though this is on screen?) Apple, core? Ugh! Did the Apple dude mean to do that?! I suppose one could use text to speech to experience the effect with Victoria's emaculate voice.
.... like setting ownership/permissions on tty devices with Apple X11's xterm.
Nice as this sounds and all, I have to point out that there's an awful lot of OS X code out there that is closed source.
Though most of the directly network-exposed stuff seems to be generally open source (well, dunno about Rendevous).
May we never see th
Yeah, so lets see... % curl http://www.ibm.com/us/ -D header > /dev/null
% cat header
HTTP/1.1 200 OK
Date: Thu, 02 Sep 2004 05:03:47 GMT
Server: IBM_HTTP_SERVER/1.3.26.3 Apache/1.3.26 (Unix)
Vary: *
Cache-Control: no-cache
Content-Length: 26256
Content-Type: text/html
But... IBM doesn't have any money.
Check, www.whitehouse.gov, (where all the money is). It runs on Apache.
Apple has been a great demonstration for the added security of OSS. Of the few exploits that have arisen, they've mostly been related to the parts of the OS that are still closed, like AppleScript and Internet Connect.app. Maybe they should expand their OSS efforts into these areas...
(exceptions in recent libpng and libz exploits)
Umm.
That is the most ignorant Slashdot posting I've ever read that used complete sentences.
Or did I just get trolled?
That is the most ignorant Slashdot posting I've ever read that used complete sentences.
"And others are probably spoofing Apache to throw hackers off the scent, so Netcraft numbers" is not a complete sentence.
May we never see th
By that logic Apache should have more exploits than Microsoft's web server, since Apache has the major market share. Since that's not so, it seems that vulnerability is a bigger factor than market share when it comes to picking targets.
You've misunderstood what the "Apache versus IIS" example represents.
It shows that open source can be secure. Apache is indeed a more attractive target because it does have a larger marketshare. However, attacks are unsuccessful because Apache is more secure than IIS.
This doesn't mean that marketshare is irrelevant. Quite the opposite. It means that good code can withstand the added attention a marketleader attracts.
You cannot make a parallel between Apache and OSX however. Apache is a product that proves a concept is sound; that open source can be secure even when it is a very attractive target. This doesn't mean all open source is secure, and it certainly doesn't mean that OSX won't be targetted more as its marketshare increases. OSX will be targetted more.
OS X is not "secure" because it uses Open Source, it's less targeted because it has far less market share and Apple changes enough stuff that straight BSD and/or GNU vulnerabilities can't be exploited the same way as on other platforms (not to mention different byte code!).
I'll also remind everyone that it has had it's share of URI handler problems, but of course people will claim they only had those problems because they used a closed-source browser. Well I've seen enough Mozilla and Opera security patches that I don't buy that one.
So really, there are two reasons why Mac OS has not had mass exploits:
1.) Obscure
2.) Not an emotional target
People have an irrational hate for Microsoft and even when presented with easier opportunities elsewhere, will often prefer to write exploits for Microsoft products. That's not going to change any time soon, and given Apple's rabid fan base and rapidly swelling Open Source cheerleading squad, it's only likely to go the other way.
Note, it's not that I dislike Apple. Personally I run OpenBSD on most of my machines because I'm a paranoid nutcase, and I got Apple laptops for the family (which you can have when you pry them from my cold, dead fingers). I'm actually a huge fan, but at least I have some prospective.
And by the way, for all the people claiming Apache hasn't had as many exploits as IIS, I think you'll find that if you include common Apache modules (which are similar to IIS in functionality) in your comparison that it will be very close, if not worse for Apache. Think about it, mod_ssl, mod_php, mod_proxy, mod_rewrite, etc... That's a lot of vulnerabilities that have been discovered.
Someone is WRONG on the Internet!
By that logic Apache should have more exploits than Microsoft's web server
It possibly does.
361 Apache Advisories on Buqtraq VS 141 IIS advisories
A rough and cheap example, but never the less a belief that Apache is somehow super secure is a nonsense.
The many eyes argument is a tired one - how many people actually check the code, how many of those people are experienced enough to find vulnerabilities?
Look at the DARPA funded Linux Security effort. It died because noone was contributing.
Open source is great because you can read the code, but a belief that someone else must be auditing that code leads to security through delusionment - unless YOU are auditing the code, and unless YOU are trained to know how to audit it well, don't assume anyone else is.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
You're just proving the point of the article. Open source doesn't mean that there will be less security advisories(in fact, there will likely be more, because more people are looking for them), but that those that do appear will be fixed quickly and in most cases, before they can be exploited. For closed source stuff, it generally works the other way around-exploit and then patch. When discussing this, keep in mind how many more eyes OSS can train on code, and how much faster those patches can be created.
The role of the writer is not to say what we can all say, but what we are unable to say. -Anais Nin
I forgot "are not likely to be accurate and should not be used as an indicator of 'market share,' even if commercial sites tended towards freeware like Apache."
How is it ignorant? Enlighten me. You're telling me real businesses--the Fortune 500, banks, brokerage houses, large manufacturing concerns, trust their businesses to freeware? It is much more likely that any such entity reporting Apache as a server is engaging in deception to elude hackers, who quite naturally target platforms like Microsoft's which are used for real business as opposed to hobby software like Apache.
Flamebait, indeed. Which is why I always post AC when I post facts that might offend the Cult of Mac's faithful. Meanwhile, while logged in, I have more Karma than Siva, gained from posting slavish praise of the Mac--the zealots eat it up :).
Anti-MS zealot company and spoofed, respectively. You think Homeland Security wants whitehouse.gov advertising the version of the webserver it's running to Al Qaeda?
"Totally misses the boat on security"
You sure do.
Q: What's worse than finding a worm in your apple?
A: Finding half of a worm.
It's not offtopic, dumbass. It's orthogonal.
Well I think the response to Real Networks pretty much fits the description...
/. these days without running into some *n*x junky singing the praises of Apple. Just look at *n*x conventions and tradeshows over the last two years, the amount of laptops with an Apple on the lid is staggering.
As for the cheerleading squad, you can't go 6 inches on
Someone is WRONG on the Internet!
The difference is, in OSS software, vulnerabilities and exploits tend to get fixed
I think Milton said it best himself
The fact that a falsehood can be stated with great precision, style, or in a moving manner does not change its "false" nature. For example my corporation's goal may be to maximize profit by designing and developing the most effective and reliable medical equipment.
And of course charities, open source developers, etc. can be unethical. Welcome to the real world, sound bites, or in Milton's case word bites, are not the ultimate source of knowledge or fact. Writers have poetic license to oversimplify or fudge the facts to convey a point.
You've misunderstood what the "Apache versus IIS" example represents...
You cannot make a parallel between Apache and OSX however. Apache is a product that proves a concept is sound; that open source can be secure even when it is a very attractive target. This doesn't mean all open source is secure, and it certainly doesn't mean that OSX won't be targetted more as its marketshare increases. OSX will be targetted more.
And you understood what the example represents, but then lost the message at the end. The grandparents is not trying to say that all OSS is inherently more secure, nor that Mac OS X is impenetrable due to its OSS base. Rather, he's defusing the point that a lot of anti-Apple people make: that the only reason Mac OS X is secure is due to its minimal marketshare. What the grandparent is saying is that there could well be (and likely are) other reasons. Yes, Mac will have to weather a greater storm if its popularity increases. However, it is my belief that it will survive well even with greater market share, because it has a solid, secure base on which to fall back.
"Reality is merely an illusion, albeit a very persistent one " -Albert Einstein
Add to that a fortune 50 company: Target.
Add to that Amazon.
There's a whole class of security vulnerabilities in Windows that did not trouble any other operating system or application environment, at least until people started copying them. And they've only begun to show up elsewhere... if people push hard enough, maybe they can be kept from spreading...
I'm talking about "cross zone exploits". Until Microsoft merged the desktop and the browser the whole idea of a program that was designed to handle untrusted documents, particularly something like a web browser, that even contained a mechanism whereby these documents could do dangerous things was fantasy.
There have occasionally been bugs where this kind of functionality was created, until they were fixed, but they were clearly bugs and they *were* fixed. Because the idea that you could (for example) take this program, point it at a directory, and get your regular file browser with full local user rights... then point it at a webpage or a mail message and get a supposedly "secure" browser... this was bad SF. It was a JOKE, for heavens sake. We used to joke about the "Good Times" virus that could infect you just by viewing a mail message. We knew nobody would ever deliberately build a mail reader where that was possible. We knew that if anyone ever made that possible, they'd rip the dangerous code out and use an inherently secure[1] viewer instead.
Then Microsoft did it. And they refused to fix it. And they refused to fix it even when they faced being forcibly split up as a result. This is not just bad design, it's almost criminal negligence. It's like building a car that explodes if you park it facing north, and then telling people not to face it north.
And the scary thing is that people are copying it. Apple's URI vulnerability, which they *haven't* fixed properly, is a step on the same path. And I sure hope KDE's onqueror integration is being done with the utmost care.
[1] Inherently secure doesn't mean "there are no security holes", it means that the design doesn't include capabilities that are security breaches if used by an untrusted agent. There can be security holes, but fixing them won't change the interface or require valid and legal applications using it properly to be changed. HTML is "inherently secure", because there's no mechanism for changing anything outside the page. HTML+ActiveX is no longer "inherently secure", because ActiveX provides functionality that can breach security, and removing that functionality (rather than restricting what agents can use it) would break working software.
Javascript as implemented in most browsers seems to be inherently secure. Java is not inherently secure at the bytecode level, but if the security model in the class hierarchy is valid then the subset of java provided through a browser is inherently secure. In Internet Explorer, though, this is no longer true because their scripting and plugin rights are not based on the application used to display the document containing scripts or embedded objects, but rather where that document or object was loaded from.
There's no "safe IE" that you can feed a potentially untrusted document to, you have to depend on the browser being able to infer from how you called it that it's to treat it as dangerous, and on the document not containing any references through relative or guessed links that would lead a second instance of the browser to treat it as trusted.
Even if you use Firefox as your browser, you're not safe, because Firefox uses the HTML control's bindings for URLs it calls. Why it does this, I have no idea. It makes the same mistake on Mac OS X with the LaunchServices bindings that Finder and WebObjects use.
God, I hope the KDE people are paying attention to this class of attack, because Microsoft's managed to popularise this bad design to the point where people who should know better are aping it...
Virus writers tend to be driven by the desire to get recognition for their work from peers or some strange satisfaction from hacking other people's computers. With this logic, OS X should be a prime target. It has been out how long now? 4-5 years and it still has not had any exploits in the wild. Who wouldn't want to be the *FIRST* to write and receive credit for an OS X exploit? If they're trying, they're not having much success. If they're not trying, why not? I don't think that it is obsurity that is stopping them, and I don't think that OS X is impervious to attack. So something else must be going on. But what? I'm a happy Mac user, but I feel that Macs are ripe for hacking. Someone will figure it out and every single Mac will fall victim because none of us use anti-virus software unless we share a network with Windows PCs (how's that for irony). Macs don't get viruses but they can spread them. The infrastructure for the Mac community is not prepared for a virus or worm. The first one to appear will likely be devastating. It won't likely have much of an effect on society, but it will get lots of press. I can just imagine the headlines on /. ..."Apple has a bite taken out of it..."
Why doesn't anything interesting happen when I have mod points?
Big company uses open source = big company gets cheap labour fixing bugs.