Slashdot Mirror
Apple Cites Open Source Core Security
ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"
With the skin peeled off the Apple, and the raw core exposed, it's easy to remove the rotten bits. Getting rid of the rotten bits is good, as it reduce the number of worms.
He who laughs last is stuck in a time dilation bubble.
They're a (relatively) big company. Big companies are supposed to be evil, yet they do lots of Good Stuff(tm) like supporting and using OSS.
This is what Apple's always done that's kept them around... their products are dirt simple, yet really powerful in hands that know how to put them to work.
In the words of a motivational book-on-tape foisted on me recently, it's not enough to have satisfied customers, you need to create raving fans. I bought my first Apple (Pbook G4 1.25) in May, and I've been raving about it ever since. mmm.... iMac...
I'd like to point out that Steve Jobs Did not say this.
The fundamental difference? When Jobs says something is cool, it's cool. When random execs at Apple say something's cool it means nothing.
At least, that's the way it seems to work...
--
Especially considering how just a few days ago Steve Jobs was saying in an interview here. [alwayson-network.com] how they were trying to not be blatant about trumpeting this advantage to avoid becoming a target for viruses and other security breaches.
Although, if Steve Jobs points that out in an interview, then how low-profile can it really be?
I mean seriously - if something is important to you, do you just turn it in w/o someone else giving it the once over? My wife reads every talk I give and vise-versa. WE ALWAYS catch mistakes that the other person has made.
It's a no-brainer.
..........FULL STOP.
Nice as this sounds and all, I have to point out that there's an awful lot of OS X code out there that is closed source.
Though most of the directly network-exposed stuff seems to be generally open source (well, dunno about Rendevous).
May we never see th
By that logic Apache should have more exploits than Microsoft's web server, since Apache has the major market share. Since that's not so, it seems that vulnerability is a bigger factor than market share when it comes to picking targets.
You've misunderstood what the "Apache versus IIS" example represents.
It shows that open source can be secure. Apache is indeed a more attractive target because it does have a larger marketshare. However, attacks are unsuccessful because Apache is more secure than IIS.
This doesn't mean that marketshare is irrelevant. Quite the opposite. It means that good code can withstand the added attention a marketleader attracts.
You cannot make a parallel between Apache and OSX however. Apache is a product that proves a concept is sound; that open source can be secure even when it is a very attractive target. This doesn't mean all open source is secure, and it certainly doesn't mean that OSX won't be targetted more as its marketshare increases. OSX will be targetted more.
"Of the few exploits that have arisen, they've mostly been related to the parts of the OS that are still closed"
That's not even remotely true. When you run Software Update, Apple lists exactly what's being updated and all of the security updates have been primarily updating free software.
And that doesn't even address your use of the word "exploits" as there have been none to date, just potential exploits and "proofs of concept" that are at best nominal exploits.
"People have an irrational hate for Microsoft"
I wouldn't call it irrational. Sometimes people vent their anger irrationally, but the cause of that anger is generally quite rational indeed.
And your assertion:
"So really, there are two reasons why Mac OS has not had mass exploits:
1.) Obscure
2.) Not an emotional target"
is pure speculation. If they were the sole reasons, then you'd expect at least one actual exploit to surface in the wild. I'm sure they are factors, but how about it's easier to write viruses/worms/trojans for Windows? And the fact that MS waits so long before security updates?
In short, there are not, simply, "two reasons why Mac OS has not had mass exploits".
By that logic Apache should have more exploits than Microsoft's web server
It possibly does.
361 Apache Advisories on Buqtraq VS 141 IIS advisories
A rough and cheap example, but never the less a belief that Apache is somehow super secure is a nonsense.
The many eyes argument is a tired one - how many people actually check the code, how many of those people are experienced enough to find vulnerabilities?
Look at the DARPA funded Linux Security effort. It died because noone was contributing.
Open source is great because you can read the code, but a belief that someone else must be auditing that code leads to security through delusionment - unless YOU are auditing the code, and unless YOU are trained to know how to audit it well, don't assume anyone else is.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
Personally, I don't really think Macs are "obscure" at all.
Macs have been around for what, 20 years? I don't know a single graphic designer who hasn't at least spent a fair amount ( if not all) of their time on them.
Obviously, Macs aren't number 1, but as regards *personal* computing they're definitely number 2. Macs have a huge mindshare. Macs are everywhere from schools to businesses to government and even science.
Saying the Mac is obscure is like saying Zenith is obscure because Sony has #1 marketshare. (Note how I avoided a car analogy.)
lorem ipsum, dolor sit amet
OS X is not "secure" because it uses Open Source, it's less targeted because it has far less market share
These things are not mutually exclusive. OS X may, in fact, be more secure because it uses open source, and also has fallen to fewer (zero?) exploits in part because it has smaller market share.
I'll also remind everyone that it has had it's share of URI handler problems, but of course people will claim they only had those problems because they used a closed-source browser.
True, but that was a problem with one application, and technically not the "operating system." I know Microsoft wants us all to believe that a web browser is an essential, inseperable component of an OS, but on OS X it's just another app. The URI handler exploit does point up a problem in that, IIRC, it could be used to gain root and do whatever. But it's misguided to think of it as some inherent security flaw in the kernel.
I got Apple laptops for the family (which you can have when you pry them from my cold, dead fingers)
No thanks, I'm really not interested in "having" your family in any sense of the word.
People have an irrational hate for Microsoft
Some people do. Some people have a rational dislike of Microsoft.
and even when presented with easier opportunities elsewhere, will often prefer to write exploits for Microsoft products.
I think you're speculating here. I doubt very much that hatred of Microsoft, rational or otherwise, is a primary motivation for most of the people out there writing viruses. Indeed, most of the people I know who really dislike MS avoid using its products, and therefore use either Linux or MacOS. (Though I guess you could make a pretty good argument that if you use Windows long enough, you'll build a pretty solid dislike of MS.)
My point is, the people who write Windows viruses and worms and such are probably NOT Mac and Linux users. They're Windows users who want to show off their programming skillz and build some kind of hacker cred. They're not mainly driven by ideology, but by their own egos. And when it comes to "easier opportunities," well, it doesn't seem like there are any that are easier than Windows.
That's not going to change any time soon, and given Apple's rabid fan base and rapidly swelling Open Source cheerleading squad, it's only likely to go the other way.
Dude, you've been reading too much Microsoft PR. When was the last time you met a "rabid" (meaning "infected with rabies" or implying foaming at the mouth, wild-eyed, unable to think clearly) Mac user? We're mostly a pretty mellow bunch, and we just want to get our work done without the OS getting in the way. We like that it looks nice, works well, and has some cool features. And Apple makes pretty darn nice hardware. What's irrational about that? What's so wrong with thinking Microsoft products are crappy?
Apple will be glad to know it's got a rapidly expanding open source cheerleading squad, but only if it leads to rapidly expanding sales.
You're at least partially right, though there is room for disagreement (the way Windows puts all the metadata about executability in the file extension is a fundamental flaw, I'd say).
In the end, it doesn't matter why Mac OS X has fewer security problems - it only matters that it does have fewer problems.
Right now, if you're using file formats and applications that are standards-based and/or cross-platform, you have a choice as to which platform to use.
If you're using Windows, you're sitting right in the bullseye.
If you're using anything else, you're sitting out at the edge of the target.
I prefer to get work done with my computer, without worrying about incoming darts - that's why I use Anything But Microsoft. I'll reconsider my stance when the situation in the real world changes - either exploits for other platforms go up, or exploits for Windows taper off to the annoyance level. Call me when that happens, OK?
To a Lisp hacker, XML is S-expressions in drag.
Q: What's worse than finding a worm in your apple?
A: Finding half of a worm.
It's not offtopic, dumbass. It's orthogonal.
In the end, it doesn't matter why Mac OS X has fewer security problems - it only matters that it does have fewer problems.
Yes and no.
Yes, in that of course, for you and I in there here and now, this is most important in practical terms. We can both get on with our work with fewer hassles.
No, in that the why is important for several reasons. I think it's important to look at the obscurity angle, and break it down into two areas. 1) is that obviously because there are fewer Macs as compared to Windows machines, there are less opportunities for exploitation, even if the level of security were the same. More importantly, 2) is that OS X is incredibly unlikely to become a vector for viral infection. This has important implications for computing as a whole and in arguing for heterogenous computing environments. A business that uses a mix of OSes is far less vulnerable than an all Windows shop, and it could very well be that having a mixed environment is far cheaper in the long run. An internet not totally dominated by Windows PCs will be less vulnerable to epidemics, and those epidemics will burn themselves out more quickly. Thus it is good public policy to encourage the adoption of alternative OSes in business and especially in government.
It's not offtopic, dumbass. It's orthogonal.
A third reason that Macs have fewer attacks is that fewer of the l33t kiddies actually own them.
There's no way I could write code that attacked a Mac without having one to play with - and I don't.
I've got a collection of PCs and a collection of Sun boxes, but no Macs.
I think Milton said it best himself
The fact that a falsehood can be stated with great precision, style, or in a moving manner does not change its "false" nature. For example my corporation's goal may be to maximize profit by designing and developing the most effective and reliable medical equipment.
And of course charities, open source developers, etc. can be unethical. Welcome to the real world, sound bites, or in Milton's case word bites, are not the ultimate source of knowledge or fact. Writers have poetic license to oversimplify or fudge the facts to convey a point.
Big company uses open source = big company gets cheap labour fixing bugs.