Apple Hires Former OLPC Security Director

imamac writes "It seems Apple is seeking to beef up security by hiring Ivan Krstic, the one-time director of security architecture at One Laptop per Child. 'Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac.'"

So trivial there's only one

[SuperKendall]

So trivial in fact to launch an exploit on the Mac, that there's only one in the wild - and that's a trojan in a pirated application.

I guess the challenge of the PC ecosystem is what draws in the thousands of viruses and malware applications they get.

Re:So trivial there's only one

[ihatewinXP]

Yeah I would say a citation is needed here. Zero day exploits exist - on every system - but as a Mac user since '99 and a Windows admin since I can tell you no matter the skill level of the user: Macs dont get viruses. Period. Full stop. Yes I saw the embedded trojan in iLife and the zero day sploit that got the guy a free laptop recently but as a person who has really seen a wide cross section of computers and users all the way up to Vista it is decidedly two different worlds.

Im glad Apple dropped the "100% virus free" moniker from marketing as has been pointed out it makes them a target - and good job on hiring forward thinking people in _all_ facets of the business. Now just get ZFS plugged in as the default file system and I will officially drown myself in kool-aid.

And I hate to even point this out but look at the submitters username. If you just got to /. since the mac ads came out you might want to sit back and listen for a few. Years. I know I did.

Re:So trivial there's only one

[Soubrause]

The malware industry has barriers to entry just like anything else, until we can make $x it's not worth any investment. OSX user base isn't big enough to generate $x yet. Even after that when x is 20% of y why not get $y for the same investment.

Microsoft & their partners also advertise bounties on exploits encouraging people to try and find them first so they can be patched, this adds to what is found considerably. I've never seen Apple pay for but have seen them deny holes that were handed to them.

I've seen OSX exploits that didn't require any more interaction from a user than those aimed at windows in farm environments; no reason something similar isn't out there on a site we've never gone to.

Firewalls and proxies exist because some of us know better than to think our OS is secure.

Re:So trivial there's only one

[Mr2001]

So trivial in fact to launch an exploit on the Mac, that there's only one in the wild - and that's a trojan in a pirated application.

Cute. Does that mean PC defenders get to ignore all the computers that have been infected by trojans too?

According to that logic, I think we'd find that Windows is nearly as "secure" as OS X. Most infections happen because people are stupid enough to run any program that promises them free smiley-face cursors, not because of vulnerabilities in the OS.

Re:So trivial there's only one

[Phroggy]

If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them.

Malware was different in those days. Yes, there used to be Mac viruses. Nowhere near as many as DOS/Windows viruses, but a lot. They were mostly transmitted on physical media, not downloaded over a network; most of them were written before TCP/IP support was included in the OS. Most of the holes that allowed the old viruses to spread have been closed, and there just aren't that many holes that new viruses can take advantage of.

Old-school Mac viruses were created by people looking for a creative way to make a virus because it was a fun challenge and it might gain them a bit of notoriety; there was never any profit in it (and most of the viruses weren't deliberately destructive, although some of them were accidentally destructive due to bugs). Modern malware authors are in it for the money.

Since the OS itself is really pretty secure these days, the best way to spread Mac malware is to trick the user into deliberately executing your code for you, clicking through all the security warnings. If you're in it for the money, that's the approach you'll take. If you're not in it for the money, there's no technical challenge in that! Anybody could make a malicious application that looks like a fun toy, so what's the point?

And if you're in it for the money, there's more money to be made on Windows right now. As Macs grow in popularity and Windows users start keeping their antivirus software up to date, the balance will shift, but it hasn't shifted yet.

Re:security vs. safety

[DECS]

In the dictionary that ships with Mac OS X:

Security is defined as "the state of being free from danger or threat" and Safety is similarly defined as "the condition of being protected from or unlikely to cause danger, risk, or injury."

Security comes from the Latin securitas or securus "free from care" while safety comes from the salvitas or salvus meaning "safe."

So if there were any real nuance of difference between being safe and being secure, then security would have the edge in meaning over "feeling safe", while safety could be said to imply actually "being safe." But the words are really interchangeable, and how you use them can suggest either.

The real discrepancy that needs to be pointed out between the Mac and Windows is that while Microsoft has recently invested more into building a fancy security infrastructure, Mac users continue to both feel safer and to actually be safer in the sense of being free from danger or threat.

There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of "hacker pride" that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s.

What pundits like to do is equate low risk, self-injury actions with high risk, difficult to escape from events. This is straight up misinformation mixed with fear, uncertainty and doubt. For example, nearly everyone is claiming that:

* Downloading iLife warez that pretend to be stolen software
* from a non-trusted source
* assigning it privileges to install on your system
* and then finding that you have installed a background process that does something ugly that you can trivially remove

is the same as:

* Trying to use Windows to browse the web and use email
* finding that you've been automatically infected with adware and viral malware without knowing it
* then finding that your PC is also self replicating attacks or sending spam on to other systems
* then realizing that the design of Windows' registry makes it difficult to clean things out
* then noticing how much of your CPU capacity is being used to protect you from all of these threats via malware and virus scanners
* then finding out how expensive it is to spend hours cleaning up the mess yourself, or alternatively paying some Nerd Patrol $300 to "diagnose" that your PC is hosed.

They are not the same, and only a liar would keep suggesting that Mac and Windows users face the same dangers and threats. If you're paying attention, you'll notice that those who keep suggesting this almost always work for an Anti-Virus company working to make money off of Mac users. This shouldn't require any help in dot connection.

Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller... Mac AntiVirus Foe

Re:Ha

Well, it's reasonably well known in the security world that OS X has a number of unexploited vulnerabilities, and there have been proof-of-concept exploitations, just not any in-the-wild applications (except for the pirated application you mention). See Mudge Zatko's comments on page 8 of Andy Oram & John Viega's new book *Beautiful Security*, and Charlie Miller cracked Safari in 20 seconds in pwn20wn. I wouldn't call it "trivial," but it's not unbreakable.

That said, I think it would be a stretch to claim that OS X is more crackable than Windows. Maybe, just maybe, more so than Windows 7; and maybe it's a close contest with Vista (which has what, 1/4 the market share of XP?)

I suspect one reason the crackers haven't gone after the Mac more is the barrier to entry - buying a Mac to test exploit code on is a lot more expensive than buying a beige box. With the hackintoshs, that may change soon.

industry amnesia

[Gary+W.+Longsine]

"If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them. There were also viruses for the Apple IIGS, hardly a market leader."

These and other inconvenient truths of the malware "market" are ignored, universally, by the industry trade press, and a surprising number of "security experts". There were worms exploiting Microsoft SQL Server on web servers when Apache + any of several other db had as much or greater market share. There have been Linux malware.

(Some of the various examples are relevant for fair comparison only within a market segment, such as the "web server" market, considered separately since these are considered "high value" targets, for their ability to spread to potentially many desktop systems, or for the data they might contain. For example, Linux had a minority share of the web server market when it first became a malware target. Perhaps this makes the case too subtle for pundits and the trade press, but it's not too subtle for the malware authors.)

The market share argument might be a partial explanation, but it really cannot explain the entirety of the vacuum in the Mac OS X malware marketplace. It's been five years, and still no malware plague. How many versions, and how many years must pass, before the industry realizes that perhaps there is something to this Mac OS X thing?

malware barrier to entry

[Gary+W.+Longsine]

The barrier to entry most commonly cited as the largest barrier protecting the Mac, prior to the CPU transition of the Mac platform, was Apple's use of the PowerPC, which allegedly required that malware authors know PowerPC assembly language. This argument ignored:

1. the fact that plenty of malware existed for the old "System 7" and Mac OS 8/9,
2. the fact that anyone who knows x86 assembly can buy a book and write a perl script to convert their egg from x86 to PowerPC, then clean the rest up by hand. They've got the skills. They've got the hubris. They've clearly got the time, particularly when so much malware was authored by people just trying to demonstrate their prowess and make pranks, and
3. the fact that with all this malware, a small fraction of cr@X0rz are actually proficient in assembly, and the eggs are used by legion skript kiddiez who do *not* know assembly, so there was plenty of PowerPC mad skilz available.

Those people are still around, plenty of them, even though the most widely discussed malware is now part of profit seeking black market enterprises. Some of them are writing remote systems management code which puts Tivoli to shame. (e.g. Some of them are clearly bright enough to learn Objective C in a weekend, as they already know C, C++, C#, and x86 assembly) They are writing malware for Symbian, even though the statistics indicate that iPhone dominates the mobile web market. (Symbian has more browser instances on the planet, but they are not actually used by people to access the web, so you're not going to capture many passwords infecting those phones).

In fact, it's time to really start wondering: Where's the Mac OS X malware?

At some point we security experts must begin to consider the possibility that Mac OS X might be protected by more than it's niche market share.