Slashdot Mirror
Apple Cites Open Source Core Security
ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"
The difference is that it is easier to exploit MS holes. It's harder to exploit holes in OS X, Linux, and BSD. More knowledge and skill is required, and there are far fewer script kiddies in these systems.
Well, there's spam egg sausage and spam, that's not got much spam in it.
OS X is not "secure" because it uses Open Source, it's less targeted because it has far less market share and Apple changes enough stuff that straight BSD and/or GNU vulnerabilities can't be exploited the same way as on other platforms (not to mention different byte code!).
I'll also remind everyone that it has had it's share of URI handler problems, but of course people will claim they only had those problems because they used a closed-source browser. Well I've seen enough Mozilla and Opera security patches that I don't buy that one.
So really, there are two reasons why Mac OS has not had mass exploits:
1.) Obscure
2.) Not an emotional target
People have an irrational hate for Microsoft and even when presented with easier opportunities elsewhere, will often prefer to write exploits for Microsoft products. That's not going to change any time soon, and given Apple's rabid fan base and rapidly swelling Open Source cheerleading squad, it's only likely to go the other way.
Note, it's not that I dislike Apple. Personally I run OpenBSD on most of my machines because I'm a paranoid nutcase, and I got Apple laptops for the family (which you can have when you pry them from my cold, dead fingers). I'm actually a huge fan, but at least I have some prospective.
And by the way, for all the people claiming Apache hasn't had as many exploits as IIS, I think you'll find that if you include common Apache modules (which are similar to IIS in functionality) in your comparison that it will be very close, if not worse for Apache. Think about it, mod_ssl, mod_php, mod_proxy, mod_rewrite, etc... That's a lot of vulnerabilities that have been discovered.
Someone is WRONG on the Internet!
"Of the few exploits that have arisen, they've mostly been related to the parts of the OS that are still closed"
That's not even remotely true. When you run Software Update, Apple lists exactly what's being updated and all of the security updates have been primarily updating free software.
And that doesn't even address your use of the word "exploits" as there have been none to date, just potential exploits and "proofs of concept" that are at best nominal exploits.
That's not entirely true, there are many tutorials on discovering and exploiting security holes on Linux / Unix platforms.
Everything from the classic Smashing The Stack For Fun And Profit paper to more recent ones.
Bugtraq deliveries daily reports of exploitable flaws in software lots of it for Unix systems - granted that few people use most of the toy packages which people post bugs for, but they still exist and it's still mostly trivial to discover them.
I audit code and it's depressingly easy to find flaws in Unix software.
And in twenty years, your corporation is maximizing profit by selling that medical equipment at incredibly inflated prices. leading to an overall rise in the cost of medical care, and eventually there's a whole class of people (at least in some countries) who can't afford it and die as a result.
...
Inflating prices invites competition, that does not maximize profit. Subsidizing needy hospitals in the third world can give me tax write offs, generate good publicity, and strengthen business relationships. Those subsidies can be more cost effective than TV ads, trinkets, and dinners.
A company driven entirely by profit motive, will, by necessity
You confuse the common with the necessary.