Slashdot Mirror
Apple Cites Open Source Core Security
ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"
With the skin peeled off the Apple, and the raw core exposed, it's easy to remove the rotten bits. Getting rid of the rotten bits is good, as it reduce the number of worms.
He who laughs last is stuck in a time dilation bubble.
They're a (relatively) big company. Big companies are supposed to be evil, yet they do lots of Good Stuff(tm) like supporting and using OSS.
This is what Apple's always done that's kept them around... their products are dirt simple, yet really powerful in hands that know how to put them to work.
In the words of a motivational book-on-tape foisted on me recently, it's not enough to have satisfied customers, you need to create raving fans. I bought my first Apple (Pbook G4 1.25) in May, and I've been raving about it ever since. mmm.... iMac...
Especially considering how just a few days ago Steve Jobs was saying in an interview here. [alwayson-network.com] how they were trying to not be blatant about trumpeting this advantage to avoid becoming a target for viruses and other security breaches.
Although, if Steve Jobs points that out in an interview, then how low-profile can it really be?
I mean seriously - if something is important to you, do you just turn it in w/o someone else giving it the once over? My wife reads every talk I give and vise-versa. WE ALWAYS catch mistakes that the other person has made.
It's a no-brainer.
..........FULL STOP.
You had me convinced, right up until I realized it was your sig that convinced me. Then my head exploded.
Though most of the directly network-exposed stuff seems to be generally open source (well, dunno about Rendevous).
There's an simple rendezvous implementation that's open source called mDNSResponder. This is the library released for linux and darwin.
However, this is not what OSX apps use for rendezvous. They call functions in the core services. The code in the core services is not opensource and probably uses little of the mDNSResponder library.
But even if it did use the mDNSResponder library, just because it's open source doesn't mean it is secure.
At the core of mDNSResponder is a single 318k file called mDNS.c
It is really tough to work on because it is such a huge mess.. and this is the code they released to the public.
By that logic Apache should have more exploits than Microsoft's web server, since Apache has the major market share. Since that's not so, it seems that vulnerability is a bigger factor than market share when it comes to picking targets.
You've misunderstood what the "Apache versus IIS" example represents.
It shows that open source can be secure. Apache is indeed a more attractive target because it does have a larger marketshare. However, attacks are unsuccessful because Apache is more secure than IIS.
This doesn't mean that marketshare is irrelevant. Quite the opposite. It means that good code can withstand the added attention a marketleader attracts.
You cannot make a parallel between Apache and OSX however. Apache is a product that proves a concept is sound; that open source can be secure even when it is a very attractive target. This doesn't mean all open source is secure, and it certainly doesn't mean that OSX won't be targetted more as its marketshare increases. OSX will be targetted more.
"People have an irrational hate for Microsoft"
I wouldn't call it irrational. Sometimes people vent their anger irrationally, but the cause of that anger is generally quite rational indeed.
And your assertion:
"So really, there are two reasons why Mac OS has not had mass exploits:
1.) Obscure
2.) Not an emotional target"
is pure speculation. If they were the sole reasons, then you'd expect at least one actual exploit to surface in the wild. I'm sure they are factors, but how about it's easier to write viruses/worms/trojans for Windows? And the fact that MS waits so long before security updates?
In short, there are not, simply, "two reasons why Mac OS has not had mass exploits".
By that logic Apache should have more exploits than Microsoft's web server
It possibly does.
361 Apache Advisories on Buqtraq VS 141 IIS advisories
A rough and cheap example, but never the less a belief that Apache is somehow super secure is a nonsense.
The many eyes argument is a tired one - how many people actually check the code, how many of those people are experienced enough to find vulnerabilities?
Look at the DARPA funded Linux Security effort. It died because noone was contributing.
Open source is great because you can read the code, but a belief that someone else must be auditing that code leads to security through delusionment - unless YOU are auditing the code, and unless YOU are trained to know how to audit it well, don't assume anyone else is.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein