Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Cites Open Source Core Security

Posted by pudge on from the you-wily-software-vet-you dept.

ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"

11 of 69 comments (clear)

  1. ...and this is why we love Apple. by keiferb · · Score: 4, Insightful

    They're a (relatively) big company. Big companies are supposed to be evil, yet they do lots of Good Stuff(tm) like supporting and using OSS.

    This is what Apple's always done that's kept them around... their products are dirt simple, yet really powerful in hands that know how to put them to work.

    In the words of a motivational book-on-tape foisted on me recently, it's not enough to have satisfied customers, you need to create raving fans. I bought my first Apple (Pbook G4 1.25) in May, and I've been raving about it ever since. mmm.... iMac...

  2. Re:It's the open source! by Frequency+Domain · · Score: 5, Insightful
    95% of users are using Windows, making it, not Mac OS X with its market share smaller than that of Linux, a high value target.
    By that logic Apache should have more exploits than Microsoft's web server, since Apache has the major market share. Since that's not so, it seems that vulnerability is a bigger factor than market share when it comes to picking targets.
  3. open source is like proofreading by spineboy · · Score: 4, Insightful
    Open source works for exactly the same reason why you have someone else proofread your paper/thesis before you turn it in. You've seen it so many times, that you don't really look at it anymore. A fresh pair of eyes will spot all sorts of wrong things, or come up with a more elegant way of stating something.

    I mean seriously - if something is important to you, do you just turn it in w/o someone else giving it the once over? My wife reads every talk I give and vise-versa. WE ALWAYS catch mistakes that the other person has made.

    It's a no-brainer.

    --
    ..........FULL STOP.
    1. Re:open source is like proofreading by TheLink · · Score: 4, Insightful

      Most significant security problems are only detected by a few experts in the field.

      A million ignorant eyes won't be able to spot a buffer overflow even if it bites them.

      --
    2. Re:open source is like proofreading by Twylite · · Score: 2, Insightful

      And equally Open Source doesn't work because there is no controlled review process. In most (not all) projects only one pair of eyes will every consider a particular piece of code. Another may touch on it in passing. But seldom is each function thoroughly reviewed, line by line, for correctness.

      Open Source gives you the ability to have a million eyes inspecting the code. It doesn't necessarily cause that the happen.

      What we need in the FLOSS world is a code review system similar to Project Gutenberg's distrbuted proofreaders. Every time code is checked into a (CVS) repository it is analysed to determine the effected function / class / file, and the before and after snippets are sent off to be reviewed by (say) 3 independent reviewers (at least one who is recognised as a "senior" reviewer). Alternatively a patch is submitted and must pass 3 reviews before being committed.

      A catch to this suggestion is that it only works properly if the function interface is properly documented, and the system is able to determine the call graph and invalidate the review of all calling functions (and their callers, etc) if the function interface changes (as attested to be a reviewer).

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
  4. Evidence too... by bullitB · · Score: 1, Insightful

    Apple has been a great demonstration for the added security of OSS. Of the few exploits that have arisen, they've mostly been related to the parts of the OS that are still closed, like AppleScript and Internet Connect.app. Maybe they should expand their OSS efforts into these areas...

    (exceptions in recent libpng and libz exploits)

  5. Re:It's the open source! by prockcore · · Score: 4, Insightful

    By that logic Apache should have more exploits than Microsoft's web server, since Apache has the major market share. Since that's not so, it seems that vulnerability is a bigger factor than market share when it comes to picking targets.

    You've misunderstood what the "Apache versus IIS" example represents.

    It shows that open source can be secure. Apache is indeed a more attractive target because it does have a larger marketshare. However, attacks are unsuccessful because Apache is more secure than IIS.

    This doesn't mean that marketshare is irrelevant. Quite the opposite. It means that good code can withstand the added attention a marketleader attracts.

    You cannot make a parallel between Apache and OSX however. Apache is a product that proves a concept is sound; that open source can be secure even when it is a very attractive target. This doesn't mean all open source is secure, and it certainly doesn't mean that OSX won't be targetted more as its marketshare increases. OSX will be targetted more.

  6. Re:Totally misses the boat on security by node+3 · · Score: 4, Insightful

    "People have an irrational hate for Microsoft"

    I wouldn't call it irrational. Sometimes people vent their anger irrationally, but the cause of that anger is generally quite rational indeed.

    And your assertion:

    "So really, there are two reasons why Mac OS has not had mass exploits:
    1.) Obscure
    2.) Not an emotional target"

    is pure speculation. If they were the sole reasons, then you'd expect at least one actual exploit to surface in the wild. I'm sure they are factors, but how about it's easier to write viruses/worms/trojans for Windows? And the fact that MS waits so long before security updates?

    In short, there are not, simply, "two reasons why Mac OS has not had mass exploits".

  7. Re:Totally misses the boat on security by stevey · · Score: 2, Insightful

    A third reason that Macs have fewer attacks is that fewer of the l33t kiddies actually own them.

    There's no way I could write code that attacked a Mac without having one to play with - and I don't.

    I've got a collection of PCs and a collection of Sun boxes, but no Macs.

  8. Milton was wrong by AHumbleOpinion · · Score: 2, Insightful

    I think Milton said it best himself

    The fact that a falsehood can be stated with great precision, style, or in a moving manner does not change its "false" nature. For example my corporation's goal may be to maximize profit by designing and developing the most effective and reliable medical equipment.

    And of course charities, open source developers, etc. can be unethical. Welcome to the real world, sound bites, or in Milton's case word bites, are not the ultimate source of knowledge or fact. Writers have poetic license to oversimplify or fudge the facts to convey a point.

  9. Makes financial sense. by Gordon+Bennett · · Score: 2, Insightful

    Big company uses open source = big company gets cheap labour fixing bugs.