Slashdot Mirror
Apple Hires Former OLPC Security Director
imamac writes "It seems Apple is seeking to beef up security by hiring Ivan Krstic, the one-time director of security architecture at One Laptop per Child. 'Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac.'"
So trivial in fact to launch an exploit on the Mac, that there's only one in the wild - and that's a trojan in a pirated application.
I guess the challenge of the PC ecosystem is what draws in the thousands of viruses and malware applications they get.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac."
Public knowledge? Public knowledge? I doubt the "public" really thinks it's trivial to launch an exploit against the PC.
I feel like I just listened to a 5 year old arguing to another 5 year old... "EVERYONE knows that YOUR operating system IS STOOOPED."
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
Apparently they think now might be a good time to start battening down the hatches. They don't want to make mistakes like they did with the iPhone. Who seriously leaves a JTAG enabled and on the board of a production phone?
Let's see here. The guy that invented a good security system (nerd) is hired by a large corporation (news). So far we have nerd and news covered. Now let's see, how does this matter? As macs gain popularity they also garner the interest of people looking to make exploits for them. Apple is trying to head off the tide a little so they can still market as being more secure than their main competitor. Personally I'm a Freebsd/Linux fan, but for all the mac users out there I think that it matters. So there you have it, News for Nerds, Stuff that matters. Or maybe News about a Nerd, Stuff that Matters.
"Some books contain the machinery required to create and sustain universes."-Tycho
Prediction:
This thread will soon devolve into a flaming argument between Apple Fanbois and Apple FanBoi bashers.
I am so tired of both sides arguing about Apple that I wish Slashdot would just remove the Apple section from the site.
let the games begin
Apple execs have put down their glasses of marketing Kool-Aid and joined the real world. They're obviously trying to get out ahead of the potential security holes in their OS, and they recognize that, despite what the fanbois will say, OSX is just as vulnerable as most other topics. Luckily for Mac users, none of the system crackers seem to care about gay porn or graphic design files.
It's not public knowledge, and the only exploit going around recently was one you had to download in a pirated application. Nice little troll slip in the summary there.
The Bitfrost system developed for OLPC (which is, AFAIK, completely open) is a comprehensive approach to security, data reliability, theft deterrence, and centralized management of computer systems designed for what amount to massive enterprises with extremely non-technical users.
Apple picking up the designer of that system could be seen as an indication of directions they may take in the future. Its "News for Nerds" even if its not entirely clear, obviously, how much it will turn out to be "Stuff that matters".
In the dictionary that ships with Mac OS X:
Security is defined as "the state of being free from danger or threat" and Safety is similarly defined as "the condition of being protected from or unlikely to cause danger, risk, or injury."
Security comes from the Latin securitas or securus "free from care" while safety comes from the salvitas or salvus meaning "safe."
So if there were any real nuance of difference between being safe and being secure, then security would have the edge in meaning over "feeling safe", while safety could be said to imply actually "being safe." But the words are really interchangeable, and how you use them can suggest either.
The real discrepancy that needs to be pointed out between the Mac and Windows is that while Microsoft has recently invested more into building a fancy security infrastructure, Mac users continue to both feel safer and to actually be safer in the sense of being free from danger or threat.
There is clearly no immediate or impending threat to Macs, and there is little in the way of market forces or that wishful thinking pundit invention of "hacker pride" that will result in something to turn Macs into the disaster that has dogged Windows since the late 90s.
What pundits like to do is equate low risk, self-injury actions with high risk, difficult to escape from events. This is straight up misinformation mixed with fear, uncertainty and doubt. For example, nearly everyone is claiming that:
* Downloading iLife warez that pretend to be stolen software
* from a non-trusted source
* assigning it privileges to install on your system
* and then finding that you have installed a background process that does something ugly that you can trivially remove
is the same as:
* Trying to use Windows to browse the web and use email
* finding that you've been automatically infected with adware and viral malware without knowing it
* then finding that your PC is also self replicating attacks or sending spam on to other systems
* then realizing that the design of Windows' registry makes it difficult to clean things out
* then noticing how much of your CPU capacity is being used to protect you from all of these threats via malware and virus scanners
* then finding out how expensive it is to spend hours cleaning up the mess yourself, or alternatively paying some Nerd Patrol $300 to "diagnose" that your PC is hosed.
They are not the same, and only a liar would keep suggesting that Mac and Windows users face the same dangers and threats. If you're paying attention, you'll notice that those who keep suggesting this almost always work for an Anti-Virus company working to make money off of Mac users. This shouldn't require any help in dot connection.
Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller... Mac AntiVirus Foe
How can threats from untrusted code (or vulnerabilities in trusted code) be able to exploit a JTAG header on the board of the device?
Unless, of course, you think that the owner of the device is somehow a "security threat"? I keep meeting people who think this, and I really don't understand it at all...
(actually, Krstic's Bitfrost system is *does* implement some local physical security, but that is to address a very specific threat: theft)
The malware industry has barriers to entry just like anything else, until we can make $x it's not worth any investment. OSX user base isn't big enough to generate $x yet.
Price out botnets of a few hundred thousand nodes. Now figure there are 20-30 macs around, which are to some degree homogenous systems and thus in theory easier to target.
Your argument goes straight to hell. When the number of intel macs in peoples homes crossed about five million, the "user base" argument went straight to hell from both a technical and financial sense.
So how come no attacks to speak of? My vote is that the Russian Mafia all use macs, and they don't want to foul their own nest. :-)
"There is more worth loving than we have strength to love." - Brian Jay Stanley
These and other inconvenient truths of the malware "market" are ignored, universally, by the industry trade press, and a surprising number of "security experts". There were worms exploiting Microsoft SQL Server on web servers when Apache + any of several other db had as much or greater market share. There have been Linux malware.
(Some of the various examples are relevant for fair comparison only within a market segment, such as the "web server" market, considered separately since these are considered "high value" targets, for their ability to spread to potentially many desktop systems, or for the data they might contain. For example, Linux had a minority share of the web server market when it first became a malware target. Perhaps this makes the case too subtle for pundits and the trade press, but it's not too subtle for the malware authors.)
The market share argument might be a partial explanation, but it really cannot explain the entirety of the vacuum in the Mac OS X malware marketplace. It's been five years, and still no malware plague. How many versions, and how many years must pass, before the industry realizes that perhaps there is something to this Mac OS X thing?
If you mod me down, I shall become more powerful than you could possibly imagine.
Those people are still around, plenty of them, even though the most widely discussed malware is now part of profit seeking black market enterprises. Some of them are writing remote systems management code which puts Tivoli to shame. (e.g. Some of them are clearly bright enough to learn Objective C in a weekend, as they already know C, C++, C#, and x86 assembly) They are writing malware for Symbian, even though the statistics indicate that iPhone dominates the mobile web market. (Symbian has more browser instances on the planet, but they are not actually used by people to access the web, so you're not going to capture many passwords infecting those phones).
In fact, it's time to really start wondering: Where's the Mac OS X malware?
At some point we security experts must begin to consider the possibility that Mac OS X might be protected by more than it's niche market share.
If you mod me down, I shall become more powerful than you could possibly imagine.