Apple Hires Former OLPC Security Director

← Back to Stories (view on slashdot.org)

Apple Hires Former OLPC Security Director

Posted by timothy on Thursday May 14, 2009 @10:01AM from the yes-but-get-the-screen-tech-too dept.

imamac writes "It seems Apple is seeking to beef up security by hiring Ivan Krstic, the one-time director of security architecture at One Laptop per Child. 'Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac.'"

144 comments

Min score:

Reason:

Sort:

So trivial there's only one by SuperKendall · 2009-05-14 10:04 · Score: 3, Insightful

So trivial in fact to launch an exploit on the Mac, that there's only one in the wild - and that's a trojan in a pirated application.
I guess the challenge of the PC ecosystem is what draws in the thousands of viruses and malware applications they get.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:So trivial there's only one by abigsmurf · 2009-05-14 10:27 · Score: 1
  
  Just because there aren't many around, doesn't mean it isn't trivial, it just means there are few malware developers who think it's worth their time.
  Not entirely sure why. It may only be a 10% user base but you've more exploits being found for OSX than Linux and windows, fewer mechanisms to make it harder to infect a system through an exploit and a userbase that, is mostly connected to the internet with no anti-virus software
2. Re:So trivial there's only one by MoonBuggy · 2009-05-14 10:33 · Score: 2, Interesting
  
  You're right, the number of exploits doesn't necessarily mean it's a more secure system, but the fact that (as you say) there aren't a proportionate amount to the size of the userbase does seem to imply decent security.
  I personally haven't heard of any exploit in the wild except the trojan, for which the user has to be willing to provide their password to any old bit of software with unknown providence - to be honest I don't know how one could protect against that on any system. If there are other exploits out there I would like to know about it, but if there aren't then the author has no right to say it's "trivial to launch exploits against the Mac" unless he's demonstrating that by writing them himself.
3. Re:So trivial there's only one by ihatewinXP · 2009-05-14 10:58 · Score: 5, Insightful
  
  Yeah I would say a citation is needed here. Zero day exploits exist - on every system - but as a Mac user since '99 and a Windows admin since I can tell you no matter the skill level of the user: Macs dont get viruses. Period. Full stop. Yes I saw the embedded trojan in iLife and the zero day sploit that got the guy a free laptop recently but as a person who has really seen a wide cross section of computers and users all the way up to Vista it is decidedly two different worlds.
  Im glad Apple dropped the "100% virus free" moniker from marketing as has been pointed out it makes them a target - and good job on hiring forward thinking people in _all_ facets of the business. Now just get ZFS plugged in as the default file system and I will officially drown myself in kool-aid.
  And I hate to even point this out but look at the submitters username. If you just got to /. since the mac ads came out you might want to sit back and listen for a few. Years. I know I did.
  
  --
  ---- The real Slashdot is still here. You just have to browse at -1 to read the comments.
4. Re:So trivial there's only one by Soubrause · 2009-05-14 11:13 · Score: 5, Insightful
  
  The malware industry has barriers to entry just like anything else, until we can make $x it's not worth any investment. OSX user base isn't big enough to generate $x yet. Even after that when x is 20% of y why not get $y for the same investment.
  Microsoft & their partners also advertise bounties on exploits encouraging people to try and find them first so they can be patched, this adds to what is found considerably. I've never seen Apple pay for but have seen them deny holes that were handed to them.
  I've seen OSX exploits that didn't require any more interaction from a user than those aimed at windows in farm environments; no reason something similar isn't out there on a site we've never gone to.
  Firewalls and proxies exist because some of us know better than to think our OS is secure.
5. Re:So trivial there's only one by macs4all · 2009-05-14 11:25 · Score: 1
  
  Just because there aren't any around
  There. Fixed that for you.
  
  A Trojan doesn't count as a vulnerability nor as an exploit; just as user stupidity, from which NO Operating System is safe.
6. Re:So trivial there's only one by Anonymous Coward · 2009-05-14 11:27 · Score: 4, Interesting
  
  If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them.
  There were also viruses for the Apple IIGS, hardly a market leader.
  That's a tired old troll you have there, sir.
7. Re:So trivial there's only one by phantomcircuit · 2009-05-14 11:28 · Score: 2
  
  Macs simply do not have enough market penetration to be profitable. That is the only reason that they have less malware.
8. Re:So trivial there's only one by abigor · 2009-05-14 11:45 · Score: 1
  
  The number of Macs out there is orders of magnitude larger than the largest botnet. Yet no Mac botnets exist. Why is that?
9. Re:So trivial there's only one by artor3 · 2009-05-14 11:49 · Score: 0, Flamebait
  
  And I hate to even point this out but look at the submitters username. If you just got to /. since the mac ads came out you might want to sit back and listen for a few. Years. I know I did.
  Those ads started a few years ago. How much longer must he wait before he is worthy to speak in your presence, oh 6-digited one?
10. Re:So trivial there's only one by mdwh2 · 2009-05-14 11:50 · Score: 1
  
  but the fact that (as you say) there aren't a proportionate amount to the size of the userbase does seem to imply decent security.
  Not at all, that's a non-sequitur. Why are you assuming there would be a linear relationship between users and exploits?
  If anything I would think it highly likely to be non-linear - if the vast majority of virus writers prefer to target the most popular platform (which does not seem unreasonable), then that means they choose Windows. That's true whether Windows's market share is 80%, 90%, or 99%, you could still end up with almost all viruses being written for it.
11. Re:So trivial there's only one by mdwh2 · 2009-05-14 11:52 · Score: 0
  
  Honest question, why are Apple releasing security updates if there are no security exploits in their software?
12. Re:So trivial there's only one by mdwh2 · 2009-05-14 11:56 · Score: 1
  
  It doesn't matter, they're still harder to find due to being less common. You're also assuming that a hacker can take over 100% of machines he finds, which is unreasonable. It's not like they just round up the machines, they have to get their malware spread to machines - firstly it's easier to spread viruses with a vastly more common platform, secondly, you have much better penetration. Supposing I am only able to take over 1% of machines I attempt it on - suddenly having to find all those Macs seems a lot more work.
13. Re:So trivial there's only one by ctmurray · 2009-05-14 11:58 · Score: 1
  
  Can someone detail how someone makes money with malware? I thought the motivation was just the glory. But I have not followed the field much.
14. Re:So trivial there's only one by cicuz · 2009-05-14 12:01 · Score: 1
  
  because there might be [one day]?
15. Re:So trivial there's only one by el+americano · 2009-05-14 12:02 · Score: 2, Interesting
  
  So they're only vulnerable to the hobbyist hackers... where are the successful malware examples from that group?
  If the argument is that it's not worth anyone's time, then shouldn't you say that we don't know how vulnerable it is? I don't trust Apple implicitly, given how buggy early releases of many of their product seem to be, but this unfounded speculation does seem to be a popular troll that's used equally effectively against Linux. Try being a bit more responsible.
  
  --
  Those are my principles. If you don't like them I have others. -Groucho Marx
16. Re:So trivial there's only one by macs4all · 2009-05-14 12:07 · Score: 3, Informative
  
  Honest question, why are Apple releasing security updates if there are no security exploits in their software?
  Honest answer: Because you are confusing a (theoretical) VULNERABILITY (which ALL OSes have), but which have not been "realized", and an EXPLOIT (which is deliberately malicious code RELEASED IN THE WILD that leverages a VULNERABILITY). The OP and the GP were obviously referring to OS X EXPLOITS circulating in the wild, of which there simply are NONE.
  
  I know it sounds like I'm splitting hairs; but it is a VERY thick "hair"...
17. Re:So trivial there's only one by nscheffey · 2009-05-14 12:12 · Score: 2, Interesting
  
  I personally haven't heard of any exploit in the wild except the trojan, for which the user has to be willing to provide their password to any old bit of software with unknown providence - to be honest I don't know how one could protect against that on any system.
  Luckily, Ivan Krstic knows how. From a CNET article about Bitfrost:
  Instead of blocking specific viruses, the system (Bitfrost) sequesters every program on the computer in a separate virtual operating system, preventing any program from damaging the computer, stealing files, or spying on the user. Viruses are left isolated and impotent, unable to execute their code.
18. Re:So trivial there's only one by obarthelemy · 2009-05-14 12:32 · Score: 1
  
  for the same reason kids are getting shots against almost-disappeared illnesses ?
  
  --
  The Cloud - because you don't care if your apps and data are up in the air.
19. Re:So trivial there's only one by Mr2001 · 2009-05-14 12:41 · Score: 4, Insightful
  
  So trivial in fact to launch an exploit on the Mac, that there's only one in the wild - and that's a trojan in a pirated application.
  Cute. Does that mean PC defenders get to ignore all the computers that have been infected by trojans too?
  According to that logic, I think we'd find that Windows is nearly as "secure" as OS X. Most infections happen because people are stupid enough to run any program that promises them free smiley-face cursors, not because of vulnerabilities in the OS.
  
  --
  Visual IRC: Fast. Powerful. Free.
20. Re:So trivial there's only one by dhavleak · 2009-05-14 13:07 · Score: 2, Interesting
  
  I totally agree with you, but
  grrr.. trust /. to degenerate the topic into "Macs are swiss cheese.." "no! widnows is swiss cheese".. etc..
  I'm really interested in hearing about Krstic's security philosophy and it's merits/demerits. I found this talk on zdnet but there's only about 5 minutes of actual security architecture info in it at around 40:00 into the video. Oh, and there's also this BitFrost overview on Wikipedia. I think there are some cool concepts there. The idea of sandboxing all apps into containers with sets of standard rights, and restricting IPC to certain approved mechanisms is pretty interesting. Was hoping poeple could focus on BitFrost and Krstic's security philosophies so we could all learn something.
21. Re:So trivial there's only one by someonehasmyname · 2009-05-14 13:14 · Score: 2, Interesting
  
  >> more exploits being found for OSX than Linux and windows
  
  I don't believe that for Linux, and I certainly don't believe that for Windows.
  
  Face it guys, OS X is built on a BSD userland with the same OpenSSH you all know and love. It uses the same owner/group/others file permissions. It ships with an excellent firewall, and no open ports by default.
  
  IMO, it's as safe as Linux. The smart users will only ever see trojans and home-dir-deleting "viruses", and the dumb ones that type their password will get owned.
  
  The probability of hitting a Mac, and then having the user enter their password into a random unexpected popup is too low for Macs to be a viable target.
  
  --
  Common sense is not so common.
22. Re:So trivial there's only one by tenton · 2009-05-14 13:22 · Score: 1
  
  Viruses are left isolated and impotent, unable to execute their code.
  I have something in my inbox that can fix the impotency right up. At least that's what says it does.
23. Re:So trivial there's only one by dhavleak · 2009-05-14 13:27 · Score: 1
  
  Instead of blocking specific viruses, the system (Bitfrost) sequesters every program on the computer in a separate virtual operating system, preventing any program from damaging the computer, stealing files, or spying on the user.
  Yep. This approach is super-interesting. He also claimed that there is a 0% CPU overhead from using this approach and some ridiculously low memory overhead. I forget the number - but I promise you it was ridiculously low :).
  This approach also results in an overall reduction (cleaning up?) of IPC mechanisms. So the approach doens't sound free/easy from an engineering standpoint -- it will either require apps to be re-authored or make exceptions for apps that need to use certain IPC mechanisms (or perhaps use heuristics to decide when to permit what).
  
  Viruses are left isolated and impotent, unable to execute their code.
  I saw this in the ZDNet/CNet article but I'm not sure if those are Krstic's own words or the author's. My first thought on reading that -- it depends on the 'virtual OS' we're talking about. I mean, is this a sandbox, or is it a hypervisor type thing? I haven't quite wrapped my mind around what are the attack vectors you would use in a scheme like this -- anyone know more about this??
  Gotta say -- this sounds like promising stuff. Good to see Apple starting to take action before they go through a Nimda or Blaster type experience.
24. Re:So trivial there's only one by dhavleak · 2009-05-14 13:33 · Score: 1
  
  Sure. Here is a tip-of-the-iceberg paragraph from Wikipedia that explains it.
25. Re:So trivial there's only one by imamac · 2009-05-14 13:47 · Score: 1
  
  Was hoping...we could all learn something.
  You must be new here.
26. Re:So trivial there's only one by v1 · 2009-05-14 14:23 · Score: 1
  
  it just means there are few malware developers who think it's worth their time.
  Because scammers are only interested in BIG payoffs, and would rather go hungry than to merely rip off a minority?
  Last I checked, scammers aren't picky about who they take advantage of. They take advantage of anyone they can, every chance they get, however minor.
  
  --
  I work for the Department of Redundancy Department.
27. Re:So trivial there's only one by Anonymous Coward · 2009-05-14 14:26 · Score: 0
  
  So they're only vulnerable to the hobbyist hackers... where are the successful malware examples from that group?
  That's not what he said doofus!
28. Re:So trivial there's only one by ctmurray · 2009-05-14 14:33 · Score: 1
  
  Thanks. Great link.
29. Re:So trivial there's only one by Anonymous Coward · 2009-05-14 14:38 · Score: 0
  
  How much longer must he wait before he is worthy to speak in your presence, oh 6-digited one?
  Are you referring to his UID or the number of fingers he has?
30. Re:So trivial there's only one by abigor · 2009-05-14 15:18 · Score: 1
  
  How is it a lot more work? You scan massive blocks of ips and run your remote exploit (which the summary assures us is trivial) against them. As the botnet grows, it joins your scanning/exploiting effort. Even if you got only 1% of all Macs, that would still be completely enormous. You'd think SOMEONE would have tried it by now. But no. So maybe remote exploits aren't so trivial after all.
  So maybe we have to resort to other malware. One of the main vectors into Windows is the classic malware-infested web page, which exploits ActiveX. If one in ten desktop are Macs, then those are still pretty good odds for malware writers - your classic porn drive-by would work fine. But strangely, that hasn't happened either.
  The old "it's not popular so it's not worth it" argument holds no water, or else less popular but extremely insecure software like IIS would never have been exploited. Instead, it would be Apache that's causing problems. But exactly the opposite is true.
31. Re:So trivial there's only one by mattack2 · 2009-05-14 15:26 · Score: 1
  
  What GS viruses? I had an Apple II virus before the term was used in computers, but can't think of a GS specific virus.
32. Re:So trivial there's only one by Phroggy · 2009-05-14 16:23 · Score: 3, Insightful
  
  If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them.
  Malware was different in those days. Yes, there used to be Mac viruses. Nowhere near as many as DOS/Windows viruses, but a lot. They were mostly transmitted on physical media, not downloaded over a network; most of them were written before TCP/IP support was included in the OS. Most of the holes that allowed the old viruses to spread have been closed, and there just aren't that many holes that new viruses can take advantage of.
  Old-school Mac viruses were created by people looking for a creative way to make a virus because it was a fun challenge and it might gain them a bit of notoriety; there was never any profit in it (and most of the viruses weren't deliberately destructive, although some of them were accidentally destructive due to bugs). Modern malware authors are in it for the money.
  Since the OS itself is really pretty secure these days, the best way to spread Mac malware is to trick the user into deliberately executing your code for you, clicking through all the security warnings. If you're in it for the money, that's the approach you'll take. If you're not in it for the money, there's no technical challenge in that! Anybody could make a malicious application that looks like a fun toy, so what's the point?
  And if you're in it for the money, there's more money to be made on Windows right now. As Macs grow in popularity and Windows users start keeping their antivirus software up to date, the balance will shift, but it hasn't shifted yet.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
33. Re:So trivial there's only one by Zonnald · 2009-05-14 16:55 · Score: 1
  
  Just wonder... If I was a scammer, wouldn't I just pick up on someone else's work and expand on it, maybe improve it. Why re-invent the wheel?
  You can't possibly deny that most of these millions of Windows Exploits are merely derivations of earlier efforts?
34. Re:So trivial there's only one by warrigal · 2009-05-14 17:37 · Score: 2, Informative
  
  CyberAIDS, Festering Hate are two that come to mind.
35. Re:So trivial there's only one by Hucko · 2009-05-14 18:56 · Score: 1
  
  That would suggest that Windows is in even worse shape than we thought. It is bad enough there have been so many attack vectors without adding that they still haven't been fixed in 7 years.
  I think you are wrong and there are simply been quite a few, well publicised exploits. Of course that is just an opinion from someone majoring in a different area of using operating systems.
  
  --
  Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
36. Re:So trivial there's only one by mdwh2 · 2009-05-14 22:09 · Score: 1
  
  Right, fair enough, in which case we're back to the obvious point that no one's bothered to exploit it due to a lack of users. It's not because OS X is free of risks, because we both agree there are vulnerabilities.
37. Re:So trivial there's only one by mdwh2 · 2009-05-14 22:12 · Score: 1
  
  The difference is that people don't run around screaming that those kids are magically immune to any disease, or that no disease could ever harm them. Companies don't claim that no disease affects their child, whilst other children do get diseases. We acknowledge that those illnesses are a risk.
38. Re:So trivial there's only one by mdwh2 · 2009-05-14 22:15 · Score: 1
  
  I see the pro-Apple censorship moderation is back on form - heaven forbid you ask an honest question! The fact that honest debate is modden down rather than answered doesn't exactly make their point of view look very robust...
39. Re:So trivial there's only one by Richard_at_work · 2009-05-15 00:45 · Score: 1
  
  The problem is, yesterdays viruses were written by spotty virgins still in high school, usually mainly for the group kudos gained from knowing that your virus is hurting others, and people knowing about it.
  
  Yesterdays viruses were spread via floppy or similar attack vectors, resulting in a slow spread that was pretty useless if you wished to make money from them.
  
  Todays viruses have the benefit of the internet - the same people are making the viruses, but they grew up and learnt the value of money and they now have a way to monetise their skills (horrible word, but descriptive). Botnets for hire, denial of service threats, data theft et al. And the most money is to be made off the most popular platform.
  
  Spotty virgins are still producing viruses, but they are the script kiddies using other peoples tools - which will be aimed at the most popular platforms.
40. Re:So trivial there's only one by bsdaemonaut · 2009-05-15 00:57 · Score: 1
  
  Oh god no, it destroyed my 5.25" floppy disc! I'm not defending Apple or anything, the last (and only) product from Apple I've ever owned is a IIgs. In the end, most of these viruses were more obnoxious than anything else as most of us didn't have hard drives to ruin and anybody who turned off write protection on the program disk rather than saving files to a secondary disk was worthy of scorn.
41. Re:So trivial there's only one by intheshelter · 2009-05-15 01:39 · Score: 1
  
  "I've seen OSX exploits that didn't require any more interaction from a user than those aimed at windows in farm environments;"
  - I call shenanigans on that statement. You've somehow seen them, but the rest of the world is unaware of them? Serve up some facts and proof or stop wasting my time.
42. Re:So trivial there's only one by intheshelter · 2009-05-15 01:59 · Score: 1
  
  Nobody denied that there are vulnerabilities. I have never seen anyone deny that. What is in contention is that the Mac is swiss cheese like some FUD-meisters seem to state. Right now there is no malware aside from Trojans (that I am aware of) and if the Mac is as wide open as they say there should be SOMETHING, but there's not. I don't think Macs are invulnerable, but right now they are the safer proposition.
43. Re:So trivial there's only one by stewbacca · 2009-05-15 02:20 · Score: 1
  
  If it were so trivial, it wouldn't take a "malware developer" to develop an exploit. There enough Mac bigots in the world that have trivial development skills for at least SOME exploits to garner traction, yet exploits are still (20 years running) a non-issue for the general public using Macs.
44. Re:So trivial there's only one by stewbacca · 2009-05-15 02:39 · Score: 1
  
  I can give you a layman's understanding. With Windows, if I don't properly uninstall something, it breaks a bunch of other stuff. Remove the wrong .dll or screw with the registry, and your stuff breaks.
  With OSX, there are no .dlls (but I'm sure there are probably shared files that break each other, just not as deeply inbedded as the .dll dependencies in Windows) and there is no registry to screw up. For these two reasons alone, 99% of the hackers out there are out of luck when hacking a Mac, because none of their tricks work.
  On a Mac I can just chuck stuff in the trash with (relatively) no worries. At this most basic level, it should be easy to imagine how much havoc one could unleash on a Windows OS compared to OSX.
45. Re:So trivial there's only one by stewbacca · 2009-05-15 03:56 · Score: 1
  
  Honest question, why are Apple releasing security updates if there are no security exploits in their software?
  Preemption.
46. Re:So trivial there's only one by stewbacca · 2009-05-15 03:59 · Score: 1
  
  -1 redundant (how many times in this thread???), -1 not convincing, -1 perpetuating dubious myths. There, I got your score back down to zero.
47. Re:So trivial there's only one by dhavleak · 2009-05-15 05:24 · Score: 1
  
  I can give you a layman's understanding.
  Hey man -- thanks for attempting -- but that's not what I was asking for. I understand security concepts very well - I'm asking for people to discuss Krstic's take on what he will do (architecturally) for Mac security.
  I don't mean to be rude, but there are terrible flaws in your post, and you ended up posting just another one of those "windows is insecure, mac is secure" type of posts that I was hoping people would stay away from. Registry is just another configuration mechanism. Screw up your config (no matter where/how it is stored) and you risk breaking stuff. DLLs are just libraries that you link to at run-time. Every OS has this concept (.so or .sol on linux -- something like that on Mac). There's no deep/deeper/deepest dependency than the signature of the API you're calling in a DLL. It's pretty simple stuff -- no voodoo on any platform. Delete a dll/so/sol on any platform, and the code that calls into it will break.
48. Re:So trivial there's only one by 99BottlesOfBeerInMyF · 2009-05-15 05:49 · Score: 1
  
  Honest question, why are Apple releasing security updates if there are no security exploits in their software?
  Please go learn what the words you're using mean. A potential vulnerability, vulnerability, and exploit are all different things and proper security updates address the two former, not the latter.
49. Re:So trivial there's only one by 99BottlesOfBeerInMyF · 2009-05-15 06:10 · Score: 1
  
  it will either require apps to be re-authored or make exceptions for apps that need to use certain IPC mechanisms (or perhaps use heuristics to decide when to permit what).
  The heuristics in question are ACLs. Both Bitfrost on the XO and OS X have MAC style frameworks in use today. The trick is applying them well and getting software well behaved enough and with well crafted ACLs. Apple already uses this to sequester a few high risk, exposed services like ZeroConf. The next step will probably be to get it working well for high risk end user software, then all Apple software, then third party applications. The last step being the hardest, of course. Still, Apple has an advantage here in that they use fairly modern APIs and fairly self contained application packages, greatly simplifying the task compared to other OS's.
  
  My first thought on reading that -- it depends on the 'virtual OS' we're talking about. I mean, is this a sandbox, or is it a hypervisor type thing?
  Apple currently uses a framework that is basically a port of the Mandatory Access Control from TrustedBSD. You can consider it a sandbox defined by an ACL or combination of ACLs. Assuming this is why they hired Krstic, he'll probably be working on expanding the use of that, rather than replacing it.
  
  I haven't quite wrapped my mind around what are the attack vectors you would use in a scheme like this...
  You can try to break out of the sandbox or exploit a service offered to your application or try to get a given application to have enough privileges to be dangerous. The attack, of course, depends upon what the default sandboxing is (if any) and what kind of UI it has for social engineering.
  
  Good to see Apple starting to take action before they go through a Nimda or Blaster type experience.
  While Apple does use this to mitigate potential worms (still the biggest risk) having so few exposed services to start with makes Apple pretty hardened anyway. Where this is really interesting is in dealing with trojans as it (combined with Apple's largely unused signing framework) is a realistic method of mitigating the damage from trojans, even with mostly clueless users.
50. Re:So trivial there's only one by stewbacca · 2009-05-15 06:29 · Score: 1
  
  There's no deep/deeper/deepest dependency
  In Windows you have to carefully "uninstall" an application, so as not to break other parts. How can there be no deep/deeper/deepest dependencies if Windows requires you to uninstall to preserve these dependencies, and there is no such requirement in OSX? You just delete the app. This alone would suggest that the Windows OS has far more dependencies on shared components.
  Again, I'm a layman, so I'm sure somebody else can explain it better.
51. Re:So trivial there's only one by dhavleak · 2009-05-15 07:43 · Score: 1
  
  In Windows you have to carefully "uninstall" an application, so as not to break other parts
  Thanks for being a bleeding troll! Can you stay on point? Do you have anything you want to contribute regarding Krstic's security philosophy and what it might mean for Macs? I'm more than happy to disabuse you of this silly thinking above, but do we have to pollute every motherfucking thread on this site with these "my OS is better than yours" pissfests??
52. Re:So trivial there's only one by stewbacca · 2009-05-15 08:11 · Score: 1
  
  Yikes, ok, thanks for the not-so-thoughtful discussion. My bad for being so dumb. I guess I'll take my people skills where they are better understood (and welcomed, and not flamed as troll, when no trolling was intended). Have a nice day!
53. Re:So trivial there's only one by 99BottlesOfBeerInMyF · 2009-05-15 14:05 · Score: 1
  
  I understand security concepts very well - I'm asking for people to discuss Krstic's take on what he will do (architecturally) for Mac security.
  I've never read anything he wrote about Macs in particular, but he seems to subscribe to the security trend towards increased security granularity at the application level. SELinux, TrustedBSD, Solaris, and OS X have all moved the same direction with underlying technology but aside from locked down high security installations, have not widely deployed said technologies across the application space. Such a move requires some serious effort and, potentially both changes in the way developers work and serious UI innovation.
  OS X on the iPhone uses this to lock down all the applications into their own little jails, with issues for any interactions between applications (like how hard it was to implement copy and paste). OS X on the desktop only uses it to lock down a few high risk services. Krstic could be hired to help make the iPhone more flexible, to expand security on OS X, or both.
  The previous poster did have a point, albeit he may not have realized how it applied here. OS X applications being contained in a single package does make it easier to write ACLs that restrict it from doing damage without making it useless. likewise the fact that OS X already tracks file changes by application, makes it easier to do the same.
  
  DLLs are just libraries that you link to at run-time. Every OS has this concept (.so or .sol on linux -- something like that on Mac).
  Sort of, yeah. OS X has some interesting dynamic linking for libraries that is actually a bit complex sometimes (but cool).
  
  There's no deep/deeper/deepest dependency than the signature of the API you're calling in a DLL. It's pretty simple stuff -- no voodoo on any platform. Delete a dll/so/sol on any platform, and the code that calls into it will break.
  The point with OS X being that libraries for end user applications are within the application package if they aren't part of the OS's APIs, so deleting an application will never delete the equivalent of a DLL used by another application breaking it. Also, when installing an application, you can reasonably restrict it from editing any files outside of its .app folder and the config XML file in the user's home directory (which is actually also optional) and restrict it from editing any files it did not create. That sort of a default, restrictive ACL on Windows would be painful to implement. Obviously, a comprehensive security approach will be more nuanced, but simply talking about random, unsigned applications the more modern API's in use on OS X and the NextStep style packaging are a huge boon for trojan and virus mitigation using the technologies Krstic used on the XO.
54. Re:So trivial there's only one by jo_ham · 2009-05-16 06:22 · Score: 1
  
  Oh come on, the old "not worth their time" excuse is as old as the hills.
  You don;t think it would be a *massive coup* for a virus/malware creator to be the first to "break ground" on the "supposedly secure" Mac platform?
  Whether you think the Mac platform itself is more secure than Windows doesn't matter - the public perception is that this is the belief.
  So while we have the odd trojan in a pirated copy of Office for Mac, there is a distinct lack of malware for the Mac in general, and it won't be for lack of effort.
  There are enough anti-Mac malware zealots out there just dying to prove the "Macs don;t get viruses" myth wrong.
  And in all that time, we've had a proof of concept and a trojan via pirated software. Not a bad record really. The proportional rate of malware for Windows and Mac, even taking into account a huge biasing weight due to the disparity in market share, is still way off - two exploits, one of which is a social engineering issue and the other not in the wild really does speak volumes.
  I'm not saying the Mac platform is immune (that would be silly) but it is demonstrably more secure and is most certainly not "trivial to launch exploits against" by any stretch of the imagination. Author is wilfully ignorant.
55. Re:So trivial there's only one by el+americano · 2009-05-16 09:03 · Score: 1
  
  He said it's not worth the investment - without supporting the statement in any way. Even if we assume that's true, and everyone agrees with him, there is still plenty of people who would do it for recognition or just to prove it could be done.
  Don't worry, there are still reasons to buy Windows. It's just that security isn't one of them.
  
  --
  Those are my principles. If you don't like them I have others. -Groucho Marx
56. Re:So trivial there's only one by Anonymous Coward · 2009-05-16 18:35 · Score: 0
  
  The point with OS X being that libraries for end user applications are within the application package if they aren't part of the OS's APIs
  Apps link to dlls. A dll may be part of the OS or it may not be. If it's not, the dll should be packaged with the app install. I'm not sure how this is different on any OS.
  GP provided a link that explains Krstic's security policy in pretty good detail. There's not much value in your post - you appear to be trying to bait another mac vs win argument that GP is specifically trying to avoid.
57. Re:So trivial there's only one by 99BottlesOfBeerInMyF · 2009-05-17 14:25 · Score: 1
  
  Apps link to dlls. A dll may be part of the OS or it may not be. If it's not, the dll should be packaged with the app install. I'm not sure how this is different on any OS.
  The difference is when you install a Windows application the "dll" goes in the registry. When you install a Mac application it is contained within the .app folder which constitutes an executable. So if you want to stop a Windows application from screwing with other programs, you need to customize every ACL for each program so it can still write the dll's. With a Mac, you just write an ACL that restricts any untrusted application to writing to it's own .app folder. The self contained nature makes strong ACLs significantly easier or, makes quick and dirty ACLs significantly more secure against viruses.
  
  There's not much value in your post - you appear to be trying to bait another mac vs win argument that GP is specifically trying to avoid.
  The article only talks about his work on Linux. I was writing about the same technologies as they have been applied on OS X, where he is now going to be working on them. I'm not trying to bait anyone into arguing about OS X vs. Windows as it is pointless with 90% of people who don't understand one or the other well enough to comprehend the issues. That rather seems to be the case with you. You're obviously not understanding how OS X implements the NextStep style applications or what the ramifications of that are for mandatory access controls. I apologize for trying to inject an informed opinion into your insistence on attacking another poster from an ignorant stance yourself.
58. Re:So trivial there's only one by GaryPatterson · 2009-05-17 18:49 · Score: 1
  
  Oh, the memories. I lost a few files due to viruses, but there was that great little anti-virus app that cleaned them all up.
  I can't remember its name, but the 'About' box played the Monty Python theme, as a foot came down to squash the virus names. The author stopped updating it after a while as no new Mac viruses were appearing.
  Still, I never lost more files than I did to Apple. There was a problem on the 5500/250 for which the only solution was to reformat and reinstall. That taught me to back up my files!
  Sorry... woolgathering...
59. Re:So trivial there's only one by Phroggy · 2009-05-18 11:30 · Score: 1
  
  The free antivirus app you're referring to was called "Disinfectant".
  The theme from Monty Python's Flying Circus is in fact The Liberty Bell March by John Philip Sousa.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
60. Re:So trivial there's only one by Anonymous Coward · 2009-05-27 17:02 · Score: 0
  
  The difference is when you install a Windows application the "dll" goes in the registry.
  The most basic premise of your post is incorrect. No need to reply to the rest of it. You are a troll.
One extreme to the other... by smoatigah · 2009-05-14 10:07 · Score: 1

From what was meant to be one of the cheapest available laptops, to Apple?!

Bipolar much?
I'll tell you why they hired him by Anonymous Coward · 2009-05-14 10:10 · Score: 0

The only vowels in his first and last name? I and A.
Flamebait summary by GreyWolf3000 · 2009-05-14 10:10 · Score: 4, Informative

"His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac."
Public knowledge? Public knowledge? I doubt the "public" really thinks it's trivial to launch an exploit against the PC.
I feel like I just listened to a 5 year old arguing to another 5 year old... "EVERYONE knows that YOUR operating system IS STOOOPED."

--
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
1. Re:Flamebait summary by Anonymous Coward · 2009-05-14 10:48 · Score: 0
  
  My operating system can beat up your operating system :-P
2. Re:Flamebait summary by Anonymous Coward · 2009-05-14 10:51 · Score: 0
  
  I feel like I just listened to a 5 year old
  Then consider that you didn't, and reach for a dictionary. It's public knowledge -- anyone who wants to know, can know; it's no secret. My phone number is public knowledge -- anyone can look it up. That doesn't mean everyone, or even the general public, knows my phone number.
3. Re:Flamebait summary by CODiNE · 2009-05-14 11:21 · Score: 1
  
  I feel like I just listened to a 5 year old arguing to another 5 year old... "EVERYONE knows that YOUR operating system IS STOOOPED."
  Why can't his operating system stand up straight?
  
  --
  Cwm, fjord-bank glyphs vext quiz
4. Re:Flamebait summary by clang_jangle · 2009-05-14 11:40 · Score: 1
  
  Amusing that the Apple haters who drone on about how "insecure" OS X is don't have any malware they've written for the Mac they can demonstrate. But they sure can blow that hot air!
  
  --
  Caveat Utilitor
5. Re:Flamebait summary by colonelxc · 2009-05-14 14:57 · Score: 1
  
  What the summary is referring to is the lack of kernel level protections such as address space layout randomization and the like. AFAIK those are coming in 10.6, but it is still catching up in that regard. Windows, having been (and still is) plagued by viruses, has implemented protections such as ASLR to make it much more difficult for run of the mill buffer overflows to actually turn into an exploit.
  
  It may not be quite "public knowledge" but it is out there (page 4 for the talk about ASLR).
6. Re:Flamebait summary by yabos · 2009-05-15 01:15 · Score: 1
  
  Leopard has partial ASLR but full support is coming in Snow Leopard.
Re:I am lost here . . . by Anonymous Coward · 2009-05-14 10:11 · Score: 1, Funny

The relevance of the article is that Apple are beginning to close up their back doors, which is amazing and shows restraint on their part.

What's next, marketing to straight people?
Someone else to hire in addition by elbiatcho1 · 2009-05-14 10:15 · Score: 1

Maybe Apple should hire a new SQA/QA director?
Re:I am lost here . . . by caladine · 2009-05-14 10:17 · Score: 4, Interesting

Apparently they think now might be a good time to start battening down the hatches. They don't want to make mistakes like they did with the iPhone. Who seriously leaves a JTAG enabled and on the board of a production phone?
Speaking of hiring people... by Anonymous Coward · 2009-05-14 10:19 · Score: 0

Look what this crisis is causing: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=110388976453
Re:I am lost here . . . by chuckymonkey · 2009-05-14 10:20 · Score: 4, Interesting

Let's see here. The guy that invented a good security system (nerd) is hired by a large corporation (news). So far we have nerd and news covered. Now let's see, how does this matter? As macs gain popularity they also garner the interest of people looking to make exploits for them. Apple is trying to head off the tide a little so they can still market as being more secure than their main competitor. Personally I'm a Freebsd/Linux fan, but for all the mac users out there I think that it matters. So there you have it, News for Nerds, Stuff that matters. Or maybe News about a Nerd, Stuff that Matters.

--
"Some books contain the machinery required to create and sustain universes."-Tycho
Can't we all just get along by docbrody · 2009-05-14 10:22 · Score: 3, Funny

Prediction:
This thread will soon devolve into a flaming argument between Apple Fanbois and Apple FanBoi bashers.

I am so tired of both sides arguing about Apple that I wish Slashdot would just remove the Apple section from the site.

let the games begin
1. Re:Can't we all just get along by Anonymous Coward · 2009-05-14 15:21 · Score: 0
  
  Well, guess I'll say the obvious... Since the articles you don't like are mostly isolated in one section, why not simply adjust your setting so you can't see the Apple articles?
2. Re:Can't we all just get along by docbrody · 2009-05-14 16:11 · Score: 1
  
  good point, but its not the articles i don't like, its the arguments between the fanatics on both sides. But since I took this off topic in the first place, I guess I should bring it back. Personally I think it is great that Apple is making these kind of hires, but I'd its more about the iPhone OS and not the full blown desktop OS X. (iphone, touch, possibly a tablet)
3. Re:Can't we all just get along by Anonymous Coward · 2009-05-15 09:55 · Score: 0
  
  Maybe you're different, but most people don't have someone holding a gun to their head making them read the Apple-related posts.
4. Re:Can't we all just get along by docbrody · 2009-05-15 10:19 · Score: 1
  
  What can i say, i'm a sucker for punishment.
5. Re:Can't we all just get along by Hurricane78 · 2009-05-17 23:34 · Score: 1
  
  And Apple Fanboi and Apple Fanboi basher bashers, which seem to be exceptionally good at trolling below the radar. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
And in other news... by dave562 · 2009-05-14 10:25 · Score: 3, Funny

Apple execs have put down their glasses of marketing Kool-Aid and joined the real world. They're obviously trying to get out ahead of the potential security holes in their OS, and they recognize that, despite what the fanbois will say, OSX is just as vulnerable as most other topics. Luckily for Mac users, none of the system crackers seem to care about gay porn or graphic design files.
1. Re:And in other news... by dave562 · 2009-05-14 10:31 · Score: 1
  
  ..vulnerable as most other OSes. (How I got "topics" out of OSes, and why I didn't preview before posting are left up to the imagination of the reader)
2. Re:And in other news... by dave562 · 2009-05-14 12:17 · Score: 0, Troll
  
  You must be a Mac user if that's the first thing that comes to mind.
3. Re:And in other news... by markkezner · 2009-05-14 15:38 · Score: 1
  
  Well the word "topic" it still applies, as there can be a nasty security hole in anything theoretically. At least that's how I took it until I read your above post. Although, it's probably not the word I would have used in that context.
  
  --
  Dangerous, sexy, turing complete: Femme Bots
4. Re:And in other news... by intheshelter · 2009-05-15 03:26 · Score: 1
  
  You sure are reading a lot into this hire aren't you? Not that OS X is invulnerable, I don't believe that, but your assertion that because they hired someone for OS security they obviously recongnize the Mac is full of security holes is a stretch, isn't it? Maybe they want to assure themselves that it doesn't BECOME exploited?
5. Re:And in other news... by 99BottlesOfBeerInMyF · 2009-05-15 05:43 · Score: 2, Interesting
  
  Apple execs have put down their glasses of marketing Kool-Aid and joined the real world.
  
  Apple has always been a bit erratic when it comes to security, owing to their odd blend of cultures. To suggest, however, that they've been ignoring security is more than a little misguided. Leopard included the addition of a MAC framework ported from TrustedBSD, an application signing framework, and ACLs restricting some exposed services (like zeroconf) that would have been vulnerabilities otherwise. Apple has done a very good job of shipping an OS hardened enough to deal with the level of worm and virus infections facing it in the wild. Now, with trojans being a bigger concern, they bring in a person who helped write and implement a pretty decent MAC implementation for general, if limited use. With luck this may be the beginning of a new era of consumer level trojan mitigation, something Apple already laid the groundwork for but has not really implemented the UI and market components for.
  Basically I disagree with you that Apple has been ignoring security and I disagree that OS X is as vulnerable to most classes of real world threats as Windows. I see this as Apple making a good hire that fits with their current security strategies, assuming that is what they hired him for.
Ha by bonch · 2009-05-14 10:27 · Score: 5, Informative

despite public knowledge that it's rather trivial to launch exploits against the Mac.
It's not public knowledge, and the only exploit going around recently was one you had to download in a pirated application. Nice little troll slip in the summary there.
1. Re:Ha by docbrody · 2009-05-14 10:35 · Score: 0
  
  why in the world did you get modded troll for this?
2. Re:Ha by broken_chaos · 2009-05-14 10:50 · Score: 3, Interesting
  
  Someone seems to be methodically modding down any comments that disagree with the submitter.
3. Re:Ha by Anonymous Coward · 2009-05-14 10:51 · Score: 0
  
  Its his signature.
4. Re:Ha by H0p313ss · 2009-05-14 10:54 · Score: 1
  
  Someone seems to be methodically modding down any comments that disagree with the submitter.
  Must be the terrorists!
  
  --
  XML is a known as a key material required to create SMD: Software of Mass Destruction
5. Re:Ha by imamac · 2009-05-14 11:27 · Score: 0, Flamebait
  
  The trolling was a quote from TFA, actually. I happen to be be a genuine fanboi.
6. Re:Ha by imamac · 2009-05-14 11:29 · Score: 1
  
  WTF? I just realized that this is my submission verbatim, but it's someone else's name...
7. Re:Ha by imamac · 2009-05-14 11:31 · Score: 2, Informative
  
  Sigh. Nevermind. I'm going crazy.
8. Re:Ha by Jeff+DeMaagd · 2009-05-14 12:32 · Score: 1
  
  There is a difference between active exploits and security holes. There are very few known active exploits, but there are holes as far as I remember, and given a little time, a hole will be exploited if not patched. I don't think the security hole where a contestant won in a MacBook in a recent Pwn-To-Own contest got fixed. I don't recall that one as requiring the user to run as administrator or root, unlike past Pwn-To-Own contests.
9. Re:Ha by Anonymous Coward · 2009-05-14 13:49 · Score: 1, Insightful
  
  Well, it's reasonably well known in the security world that OS X has a number of unexploited vulnerabilities, and there have been proof-of-concept exploitations, just not any in-the-wild applications (except for the pirated application you mention). See Mudge Zatko's comments on page 8 of Andy Oram & John Viega's new book *Beautiful Security*, and Charlie Miller cracked Safari in 20 seconds in pwn20wn. I wouldn't call it "trivial," but it's not unbreakable.
  That said, I think it would be a stretch to claim that OS X is more crackable than Windows. Maybe, just maybe, more so than Windows 7; and maybe it's a close contest with Vista (which has what, 1/4 the market share of XP?)
  I suspect one reason the crackers haven't gone after the Mac more is the barrier to entry - buying a Mac to test exploit code on is a lot more expensive than buying a beige box. With the hackintoshs, that may change soon.
Re:I am lost here . . . by DragonWriter · 2009-05-14 10:32 · Score: 4, Informative

Pray tell the relevance of this article?
The Bitfrost system developed for OLPC (which is, AFAIK, completely open) is a comprehensive approach to security, data reliability, theft deterrence, and centralized management of computer systems designed for what amount to massive enterprises with extremely non-technical users.
Apple picking up the designer of that system could be seen as an indication of directions they may take in the future. Its "News for Nerds" even if its not entirely clear, obviously, how much it will turn out to be "Stuff that matters".
Low hurdle by argent · 2009-05-14 10:34 · Score: 1

When the competition is Windows, you don't need to be Marcus Ranum or Bruce Schnier to stroll over the hurdles... with crutches.
1. Re:Low hurdle by bluefoxlucid · 2009-05-14 11:22 · Score: 1
  
  Marcus Ranum would suggest you shut Windows Update off, completely, and never turn it back on. Just use an ancient version of OpenBSD with no patches applied, running Apache from 1995. It's never had a security hole in anything because it doesn't suck.
  
  --
  Support my political activism on Patreon.
Good move apple! by Anonymous Coward · 2009-05-14 11:08 · Score: 1

Ivan is a genius! He's an engaging speaker who really knows his stuff. Kudos to apple.
Re:I am lost here . . . by bluefoxlucid · 2009-05-14 11:18 · Score: 1

Specialized security system, which can be easily evaded by replacing the kernel. kexec() is built into those kernels (I've raised this a few times, I don't think anyone cared) and last I checked (which was several months ago, mind you) it worked if you were root (trivial, no root password). The laptop's refusal to boot an unsigned kernel can easily be handled by an init script that kload()s a new kernel and kexec()s; the software mechanisms in place to protect the laptop are now moot. This is, of course, a simple implementation bug elsewhere, not a specific weakness of the security system itself.

--
Support my political activism on Patreon.
security vs. safety by Anonymous Coward · 2009-05-14 11:50 · Score: 1, Informative

You're right, the number of exploits doesn't necessarily mean it's a more secure system, but the fact that (as you say) there aren't a proportionate amount to the size of the userbase does seem to imply decent security.
John Gruber had a good statement on this earlier today:

Security is about technical measures, like the strength of the locks on your doors and windows. Safety is about the likelihood that you'll actually suffer from some sort of attack. Microsoft has in fact implemented more advanced security measures in Windows than Apple has in Mac OS X, but that's not surprising, because Windows is where nearly all the malware is.
But it rings untrue to most ears to claim that Apple is doing a bad job with regard to security. The evidence suggests that Mac OS X has been and remains secure enough to be safe, and safety is what real people actually care about.
http://daringfireball.net/linked/2009/05/13/security-safety
1. Re:security vs. safety by Weedhopper · 2009-05-14 12:17 · Score: 1
  
  That's a cute semantic game he plays with security and safety. You could switch the two words around and sell the same snake oil just as well.
  John Gruber's wrong about the anchored shift selection, too.
2. Re:security vs. safety by DECS · 2009-05-14 13:38 · Score: 5, Insightful
  
  In the dictionary that ships with Mac OS X:
  Security is defined as "the state of being free from danger or threat" and Safety is similarly defined as "the condition of being protected from or unlikely to cause danger, risk, or injury."
  Security comes from the Latin securitas or securus "free from care" while safety comes from the salvitas or salvus meaning "safe."
  So if there were any real nuance of difference between being safe and being secure, then security would have the edge in meaning over "feeling safe", while safety could be said to imply actually "being safe." But the words are really interchangeable, and how you use them can suggest either.
  The real discrepancy that needs to be pointed out between the Mac and Windows is that while Microsoft has recently invested more into building a fancy security infrastructure, Mac users continue to both feel safer and to actually be safer in the sense of being free from danger or threat.
  There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of "hacker pride" that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s.
  What pundits like to do is equate low risk, self-injury actions with high risk, difficult to escape from events. This is straight up misinformation mixed with fear, uncertainty and doubt. For example, nearly everyone is claiming that:
  * Downloading iLife warez that pretend to be stolen software
  * from a non-trusted source
  * assigning it privileges to install on your system
  * and then finding that you have installed a background process that does something ugly that you can trivially remove
  is the same as:
  * Trying to use Windows to browse the web and use email
  * finding that you've been automatically infected with adware and viral malware without knowing it
  * then finding that your PC is also self replicating attacks or sending spam on to other systems
  * then realizing that the design of Windows' registry makes it difficult to clean things out
  * then noticing how much of your CPU capacity is being used to protect you from all of these threats via malware and virus scanners
  * then finding out how expensive it is to spend hours cleaning up the mess yourself, or alternatively paying some Nerd Patrol $300 to "diagnose" that your PC is hosed.
  They are not the same, and only a liar would keep suggesting that Mac and Windows users face the same dangers and threats. If you're paying attention, you'll notice that those who keep suggesting this almost always work for an Anti-Virus company working to make money off of Mac users. This shouldn't require any help in dot connection.
  Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller... Mac AntiVirus Foe
3. Re:security vs. safety by Anonymous Coward · 2009-05-14 15:51 · Score: 0
  
  Someone please vote this smart man up...
4. Re:security vs. safety by Zonnald · 2009-05-14 16:49 · Score: 1
  
  By your arguments "Trying to use Windows to browse the web and use email" I would have thought in the 21 years since I graduated Uni, 14 years since I started using Netscape or IE 1 on Windows 95, I should have been regularly getting virus from the get go.
  This is not the case.
  Wish I could prove his to you.
  I did go through a period where I regularly ran virus protection and anti-spyware, but could't be bothered to upgrade it on to the next machine, as it usually didn't pick up anything
  The majority of my experience with infected machines comes from my friends when their kids start using Lime wire.
5. Re:security vs. safety by stewbacca · 2009-05-15 02:46 · Score: 1
  
  Just because it doesn't happen to you doesn't mean it ISN'T happening to the masses. I mean, isn't this the ultimate "since I can't see it, it doesn't exist" argument? Considering there's an entire row of anti-virus software at Fry's, and everyone I know with a PC and every place I've worked that uses PCs have gotten a virus or seven over the years, I'd say your anecdote is less valid than my anecdote.
6. Re:security vs. safety by Zonnald · 2009-05-18 01:54 · Score: 1
  
  The GP was trying to say that being on a computer with windows and browsing with IE = owned. I am saying that it is not that simple.
  I suggest that by being reasonsably responsible and aware of what evils are out there you are halfway to the solution.
  Argueing about an anecdote without context makes yours even more invalid, particularly as I did provide example of where irresponsible computing = owned.
  What astonds me is how ready we are all to accept that we owe all virus and malware to Windows but the fact is that others are making great money out of easing (i.e. not solving) the problem.
  They are eager to lock people in to annual subscription software.
  They have no way of surviving if operating systems where invulnerable.
  This theory even works with the argument that it is not profitable to target Linux and Mac systems due to market share.
Re:I am lost here . . . by macs4all · 2009-05-14 12:20 · Score: 1

Who seriously leaves a JTAG enabled and on the board of a production phone?
What real good does it do to lock down the JTAG, when you distribute firmware updates via the tubes?

Wow, look at me! I can perform a Boundary Scan, and I can dump out the (compiled) firmware (which I can also intercept during an OS sync)...

Disabling the JTAG interface (by blowing the Security bit on the Microcontroller, I assume) would do nothing at all to make the system more "secure".
Security in lack of numbers by Anonymous Coward · 2009-05-14 13:56 · Score: 0

uhhhhh......the more ground Apple covers and the more marketshare they gain the less trivial security becomes. I would fall just short of calling myself a "fanboy," but I'll be the first to stand up and admit that the Mac's obscurity has been one of its greatest assets. Uhhhhh...down with the Mac!!!(?!?)
Re:I am lost here . . . by orospakr · 2009-05-14 13:58 · Score: 3, Interesting

How can threats from untrusted code (or vulnerabilities in trusted code) be able to exploit a JTAG header on the board of the device?
Unless, of course, you think that the owner of the device is somehow a "security threat"? I keep meeting people who think this, and I really don't understand it at all...
(actually, Krstic's Bitfrost system is *does* implement some local physical security, but that is to address a very specific threat: theft)
Actually yes, sort of by SuperKendall · 2009-05-14 15:09 · Score: 1

Cute. Does that mean PC defenders get to ignore all the computers that have been infected by trojans too?
Sort of, I would excuse all of the pirated stuff or things that get in by installing codecs to watch that "Special video". It's stuff that is only going to target a small percentage of users (unless you feel like claiming more PC users pirate stuff which may or may not be true).
Of course PC's also have categories of malware that act as desirable applications from the user to download over the web, and then of course there are thing things like attacks against open ports that we'll not ever see on the Mac (since no ports are open by default to attack so it's a poor vector) and there are no Safari exploits in the wild to install malware like there are IE exploits (though of course that is possible, there just are none).

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Actually yes, sort of by Mr2001 · 2009-05-14 17:23 · Score: 1
  
  Of course PC's also have categories of malware that act as desirable applications from the user to download over the web
  Those are called trojans, and we're ignoring those, remember? OS X doesn't stop a user from running a "desirable application" that turns out to be malware either.
  (Frankly, I think Windows does more in that regard: you usually have to click through a warning to launch an executable that you've downloaded.)
  
  --
  Visual IRC: Fast. Powerful. Free.
2. Re:Actually yes, sort of by nyctopterus · 2009-05-14 22:33 · Score: 1
  
  (Frankly, I think Windows does more in that regard: you usually have to click through a warning to launch an executable that you've downloaded.)
  Actually, that was added in Leopard.
3. Re:Actually yes, sort of by macs4all · 2009-05-15 17:03 · Score: 1
  
  (Frankly, I think Windows does more in that regard: you usually have to click through a warning to launch an executable that you've downloaded.)
  Actually, that was added in Leopard.
  Earlier than that. I think even Jaguar (10.2) warned the first time ANY application was launched. And Tiger (10.4) definitely warns not only when you launch ANY app for the first time, but also when you are DOWNLOADING.
  
  It even warns about .exe files, even though they aren't executable on OS X.
4. Re:Actually yes, sort of by Mr2001 · 2009-05-18 12:44 · Score: 1
  
  My laptop runs Tiger, but I've never seen these warnings. Are they a feature of Safari? (I use Firefox.)
  
  --
  Visual IRC: Fast. Powerful. Free.
5. Re:Actually yes, sort of by macs4all · 2009-05-22 11:59 · Score: 1
  
  Maybe they are. I only rarely use FireFox. I almost always use Safari.
That argument was bullshit two years ago by SuperKendall · 2009-05-14 15:12 · Score: 2, Funny

The malware industry has barriers to entry just like anything else, until we can make $x it's not worth any investment. OSX user base isn't big enough to generate $x yet.
Price out botnets of a few hundred thousand nodes. Now figure there are 20-30 macs around, which are to some degree homogenous systems and thus in theory easier to target.
Your argument goes straight to hell. When the number of intel macs in peoples homes crossed about five million, the "user base" argument went straight to hell from both a technical and financial sense.
So how come no attacks to speak of? My vote is that the Russian Mafia all use macs, and they don't want to foul their own nest. :-)

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:That argument was bullshit two years ago by Phroggy · 2009-05-14 16:28 · Score: 1
  
  So how come no attacks to speak of? My vote is that the Russian Mafia all use macs, and they don't want to foul their own nest. :-)
  More likely the opposite is true: the Russian mafia all use PCs, and they have no idea how to write a Mac virus.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Official title is "Apple Hater" by SuperKendall · 2009-05-14 15:14 · Score: 1

Please keep the nomenclature correct, as it depicts the appropriate level of froth around the mouth.
Removal of the Apple section would sadly not help, as the Apple Hater is persistent and will jump in with negative Apple comments in any context.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Miller... Charlie Miller by not_hylas(+) · 2009-05-14 15:22 · Score: 1

This ain't the "old days".
The Mac Hacker's Handbook:
http://www.amazon.com/Mac-Hackers-Handbook-Charles-Miller/dp/0470395362
- which should be bought, read and placed on the self next to:
Mac OS X Internals: A Systems Approach:
http://www.amazon.com/Mac-OS-Internals-Systems-Approach/dp/0321278542/ref=sr_1_1?ie=UTF8&s=books&qid=1242357309&sr=1-1
Apple's security wasn't an accident, but then neither was Microsoft's - a real go-er.
Nudge, nudge, wink, wink.
http://www.youtube.com/watch?v=jT3_UCm1A5I
Yes.

--
~hylas
industry amnesia by Gary+W.+Longsine · 2009-05-14 17:01 · Score: 2, Insightful

"If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them. There were also viruses for the Apple IIGS, hardly a market leader."

These and other inconvenient truths of the malware "market" are ignored, universally, by the industry trade press, and a surprising number of "security experts". There were worms exploiting Microsoft SQL Server on web servers when Apache + any of several other db had as much or greater market share. There have been Linux malware.

(Some of the various examples are relevant for fair comparison only within a market segment, such as the "web server" market, considered separately since these are considered "high value" targets, for their ability to spread to potentially many desktop systems, or for the data they might contain. For example, Linux had a minority share of the web server market when it first became a malware target. Perhaps this makes the case too subtle for pundits and the trade press, but it's not too subtle for the malware authors.)

The market share argument might be a partial explanation, but it really cannot explain the entirety of the vacuum in the Mac OS X malware marketplace. It's been five years, and still no malware plague. How many versions, and how many years must pass, before the industry realizes that perhaps there is something to this Mac OS X thing?

--
If you mod me down, I shall become more powerful than you could possibly imagine.
1. Re:industry amnesia by Hucko · 2009-05-14 18:31 · Score: 1
  
  There isn't exactly a plague of malware outside of Microsoft products. The 'something' is not necessarily because of OS X, but in spite of it.
  That said, my next machine will be a Mac. All weighed up, (I'm married, so ease of use has a significant factor for my spouse) OS X will be the center at which my computing world shall spin. Linux will be regulated back to a toy OS and if Windows appears it shall be for nostalgia --- I'm not very sentimental.
  
  --
  Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
2. Re:industry amnesia by stewbacca · 2009-05-15 02:30 · Score: 1
  
  The market share argument might be a partial explanation, but it really cannot explain the entirety of the vacuum in the Mac OS X malware marketplace. It's been five years, and still no malware plague. How many versions, and how many years must pass, before the industry realizes that perhaps there is something to this Mac OS X thing?
  Mod waaaay up, especially after visiting your homepage.
malware barrier to entry by Gary+W.+Longsine · 2009-05-14 17:23 · Score: 4, Insightful
The barrier to entry most commonly cited as the largest barrier protecting the Mac, prior to the CPU transition of the Mac platform, was Apple's use of the PowerPC, which allegedly required that malware authors know PowerPC assembly language. This argument ignored:
1. the fact that plenty of malware existed for the old "System 7" and Mac OS 8/9,
2. the fact that anyone who knows x86 assembly can buy a book and write a perl script to convert their egg from x86 to PowerPC, then clean the rest up by hand. They've got the skills. They've got the hubris. They've clearly got the time, particularly when so much malware was authored by people just trying to demonstrate their prowess and make pranks, and
3. the fact that with all this malware, a small fraction of cr@X0rz are actually proficient in assembly, and the eggs are used by legion skript kiddiez who do *not* know assembly, so there was plenty of PowerPC mad skilz available.
Those people are still around, plenty of them, even though the most widely discussed malware is now part of profit seeking black market enterprises. Some of them are writing remote systems management code which puts Tivoli to shame. (e.g. Some of them are clearly bright enough to learn Objective C in a weekend, as they already know C, C++, C#, and x86 assembly) They are writing malware for Symbian, even though the statistics indicate that iPhone dominates the mobile web market. (Symbian has more browser instances on the planet, but they are not actually used by people to access the web, so you're not going to capture many passwords infecting those phones).

In fact, it's time to really start wondering: Where's the Mac OS X malware?

At some point we security experts must begin to consider the possibility that Mac OS X might be protected by more than it's niche market share.
--
If you mod me down, I shall become more powerful than you could possibly imagine.
1. Re:malware barrier to entry by Anonymous Coward · 2009-05-15 04:14 · Score: 0
  
  At some point we security experts must begin to consider the possibility that Mac OS X might be protected by more than it's niche market share.
  Back. that. statement. up. with. something.
  Or, just another apple fanboy?
Right, small user base by SmallFurryCreature · 2009-05-14 17:30 · Score: 1

Have you checked apples figures recently. They are the biggest PC maker in the world. That means they sell a HELL of a lot of PC's and because of OSX nature ALL with EXACTLY the same OS. Dell sells loads of different windows versions, even linux. Apple just OSX. Talk about a mono-culture.
I also see them more and more often in the wild. But they are to small a target.
Tell me this, whose credit card number would you rather have. A Apple users or a Dell users. (Dell user of course, the Apple user spend all his on his Mac :P)

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:Right, small user base by stewbacca · 2009-05-15 02:43 · Score: 1
  
  Wow. This is one of the worst posts I've seen in a long time--grammar AND content. When the most valid part of a post is the juvenile sig, you know it's a crappy post.
so trivial, to poke holes in your argument by Gary+W.+Longsine · 2009-05-14 17:40 · Score: 1
Mac are not "harder to find due to being less common". Windows malware spreads through several means, here are the three most common:
1. sending email to everyone in your address book
  Malware could trivially examine the email headers, determine which of your friends have Macs, and attach the Mac version of itself when sending email to them.
2. probing the network for vulnerable ports (worms)
  Malware could trivially fingerprint Macs, scan for vulnerable Mac ports, and send a custom Mac egg through the network connection. (Ed Skoudis described multi-payload worms in his encyclopedic Malware a few years ago)
3. by infecting a web server, and crawling back down the vulnerable browser Malware could trivially fingerprint the browser, and send custom packages to Safari for Firefox on the Mac when those users connect to an infected web site
So many people who think they know this stuff, and many of whom call themselves "security experts", and yet how don't even take the time to read the literature, study the history, or even take a programming class so they understand what can be done, and what's easy vs. what's hard.

tsk tsk.

And your parent poster was suggesting that taking over 1% of the Macs would create a very competitive botnet. He's right. You're wrong.
--
If you mod me down, I shall become more powerful than you could possibly imagine.
Re:I am lost here . . . by Anonymous Coward · 2009-05-14 18:24 · Score: 0

Who seriously leaves a JTAG enabled and on the board of a production phone?
Uh, like anybody that wants to be able to root cause the bonepile of RMA'd units?
Lots of devices have have at least an unpopulated JTAG header block. And anyone that knows what to do with it is going to have no problem soldering their own to it.
Anyway, that's not any kind of security "mistake." A JTAG port doesn't make the phone remotely exploitable.
iBotnet exists by kmike · 2009-05-14 19:02 · Score: 1

Evidence suggests first zombie Mac botnet is active: http://arstechnica.com/apple/news/2009/04/evidence-suggests-first-zombie-mac-botnet-is-active.ars
Mac != OS X --- PC != Windows --- Mac is-a PC by jonaskoelker · 2009-05-14 20:15 · Score: 1

(*sigh* I hate being the pedantic one...)

I guess the challenge of the Windows ecosystem is what draws in the thousands of viruses and malware applications they get.
I think I fixed that for you.
If by PC you mean x86-based computers not from Apple, then if you install OS X on a Dell box, it would suddenly become malware-ridden according to what you say, right?
And if it's not the operating system, what's the difference---with respect to malware---between an x86 running Ubuntu and an x86 running Ubuntu (one from Apple, one from Dell)?
The "Mac vs. PC" distinction is really about OS X vs. Windows.
Re:I am lost here . . . by squidinkcalligraphy · 2009-05-14 20:46 · Score: 1

Bitfrost is DRM. Open DRM, but DRM nonetheless. It could (is) used to prevent the installation of other OSes on the OLPC (among other things). Reverse that logic to get what Apple might be thinking about here - preventing their OS being installed on non-Apple systems.

--
"I think it would be a good idea" Gandhi, on Western Civilisation
Syntax Error? by SickLittleMonkey · 2009-05-14 22:45 · Score: 1

Man, I'm so old school I parsed the first two words "Apple Hires" as referring to the Apple II's HGR mode.
SLM

--
main() {1;} // zen app
1. Re:Syntax Error? by macs4all · 2009-05-15 18:19 · Score: 1
  
  No, that would be properly written as Apple HIRES.
  
  POKE -16297,0
Re:I am lost here . . . by 99BottlesOfBeerInMyF · 2009-05-15 05:12 · Score: 1

Bitfrost is DRM... Apple might be thinking about here - preventing their OS being installed on non-Apple systems.
Bitfrost is a security suite including a working MAC implementation; one of the few in real world use. Since Apple introduced an MAC framework in Leopard, but applied it to only a small subset of applications, I'm guessing that's the most likely area for him to be working. Apple isn't losing significant money because of piracy of their OS but they are looking at threats to their very valuable brand from recent malware and security issues. Hopefully, Apple is pushing for a more comprehensive security strategy linking their ACLs to automated processes and a working UI.
Re: Just another employee by Douglas+Goodall · 2009-05-15 05:48 · Score: 1

Apple has hired a lot of people over the years. This guy will get to sit in at some meetings with the really smart people that are currently architecting OS X and his ideas will be considered. If he cannot convince people his ideas are important, his presence will have very little effect on what is shipped in the box. I bought an OLPC machine and disliked the security because it kept me from doing what I wanted with the machine I purchased. I have no reason to believe Apple is going to radically change the security methods in the operating system unless they can be absolutely sure it is the right way to go. They may not want to fix MAC OS if it isn't broken. The potential liability and Q/A overhead is very high. Let's see how long this guy stays around at his new job. If he doesn't walk on water, it will be hard to get the respect of the existing engineering staff. IMHO.
lol butthurt mac user detected by Anonymous Coward · 2009-05-15 07:06 · Score: 0

whine on fanboi