Slashdot Mirror
Apple's Unlikely Security Mentor: Microsoft
snydeq writes "Apple has much to learn about securing an operating system, and it could learn how from Microsoft, Roger Grimes writes in the wake of further evidence that Macs are more vulnerable to attack than Windows machines. 'It's taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft's former security leaders, Window Snyder, and it has adopted a modified form of Microsoft's Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.'"
...the last sentence in the summary makes sense. Not so sure about the rest...
The more you know, the more you have to say and the more you should listen.
MS is the typical fast followers - let someone else test the market; then jump in and take advantage of the new market while learning from the pioneer's mistakes. then push big to capture the market and crowd everyone else out. Once you're in you can expand and improve your product. It's been pretty effective for them over the years.
I'm a consultant - I convert gibberish into cash-flow.
The guy is named after an operating system? That's hardcore.
Once Mac was safe, supposedly due to obscurity. Actually it is still reasonably safe when configured right. But Apple will not take Microsoft's path. I really see this leading to the shift from MacOS to iOS in the Macs. Completely locked down and protected by gatekeepers.
Which wouldn't be so bad. I would give Unix/BSD/Linux/GNU a new place to fight for users.
Meanwhile actual hackers, like the guys who won the Pwn2own contests by beating OSX security, now say OSX Lion is more secure than Windows (even though they previously freely admitted Snow Leopard was trailing Windows' latest offering in that department.)
"Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion."
If all else fails, immortality can always be assured by spectacular error.
There are lots of "security professionals" who actually have very little technical knowledge, let alone technical knowledge specific to security.
Having vague ideas on a process doesn't mean having to hire a particular person.
What's actually going on here, Apple?
Most security professionals (and even famous hackers, like pwn2own winners) today acknowledge that Microsoft security development practices are very good, and so are their latest OS. Everbody who has not devolved into pure fanboism understands that this can be the case even if they still have a higher volume of issues than Mac have for now.
Could only be better if his last name was "Gaard."
It is interesting to read the previous Slashdot article about the insecurity of Apple networks. The people pooh-poohing the research all get modded up to +5 and the actual researchers responses never do.
The main point is you cannot secure any version of OSX in an enterprise configuration. With the most recent versions of Windows you can.
It's a she, and her real name is Mwende.
I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
Am I the only person who finds it odd that a former Microsoft employee is named Window?
'It's taken Microsoft 10 years to turn security from a weakness into a strength"
Really? A strength? Seriously?
Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....
Because Security is a "Strength" for Microsoft?
Honestly, while security *may* be better [and I'm not sure that's true] at MS, it certainly IS NOT a strength of theirs.
If that's the view of the moron who wrote this - I'll trust everything else written with the same level of massive skepticism. [i.e. It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.]
The only thing "strong" about windows security is the botnets that grow to 100,000 computers strong
Until MS expunges the litany of windows-running botnets from my inbox I'm not buying that BS. If they can take down the botnets, I'll acknowledge they've taken security seriously from a consumer protection standpoint. They can trot around the ring all day long yelling "We're tough on security now!" and I'll sit back with an "I'll believe it when I see some results" attitude. Put up or shut up. Ya I know, fat chance, but that's my opinion on it.
I work for the Department of Redundancy Department.
Who did you think the OS was named after? Bill Gates' mom?!? Psht!
Anyone who thinks MS and Apple are “unlikely” partners must have slept through the past 10 years.
With a ten-year head start, Windows still sucks.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I certainly can't believe that Microsoft had a security leader named "Window".
"Lack of speed can be overcome. In the worst case by patience." --Znork
There is a typo in the summary and here is the correction:
"It's taken Microsoft 100 years to turn security from a weakness into a strength and it is still not as good as Unix."
Comment away, maybe that'll make Linux relevant on desktops.
Her first name is actually Mwende
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Seriously? And he worked for MS? (this must be a glitch in the Matrix)
Look at MS as been aggressive at fixing things since XP, even providing free security software. Also look at end users MS has been for most part educating end users that they have to do preventive measures to keep their computers safe. Mac users generally think their OS is safe right outta the fox. I know i will be called a troll for saying this but its a fact and Leo Laporte for people who know who that is pretty much said that and yes he uses mac most the time.
Some even earlier.
Really? A strength? Seriously? Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?.... Because Security is a "Strength" for Microsoft?
You'll notice a great majority of the exploits are found in old code. They've got quite rigorous security practices now, and their new code is benefiting greatly from it. I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.
It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.
Thats because you're holding it wrong.
I really can't think of two companies that approach the problem from such different directions:
Don't blame me, I voted for Baltar.
Pardon me if I'm not overwhelmed.
MS: "Yeah, your home is like Fort Knox - no one will break in through the new stuff we built. Mumble mumble mumble"
Me: "What was that mumbling?"
MS: "Well, everything is really secure, except the old stuff - like, you know, the doors and windows. That's old stuff. You can't hold us responsible, even if we built it. Only the new stuff matters and it's like a rock! No one will break in through the roof or walls!"
Me: "Ah, yeah - I feel so much better already!"
Sheesh.
If the new stuff is SO much better, and it's all that old crap code, then go back and fix it. Until then, I'll assume security doesn't matter much to you since while they can't break the "new" code - there's loads of old code that's full of holes. The practical experience is "it's full of holes." I don't much care where they come from.
[And even then, I don't yet buy the "Well the new stuff is so much better." because I don't see much evidence of it.]
-Greg
hey, celebrity's moms aren't fair game, leave Blooscreena out of this.
'It's taken Microsoft 10 years to turn security from a weakness into a strength.
Microsoft security isn't a strength, it's mediocre at best. This statement is just blatantly false.
Apple have problems but they are fixable because they started with a solid proven design, UNIX. Microsoft never had that advantage.
restaM is a security teacher. restaM is Master written backwards. To learn from a restaM you do everything the opposite way. If they do A you do !A. If they advice you to do B you do !B. This is how Apple can learn from Microsoft the security lessons. oops sorry. snossel !
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
> You'll notice a great majority of the exploits are found in old code
If said old code is still what's running, you don't get to use its age to dismiss it as a weakness. It's a weakness until it's fixed. Only after it's fixed do you get to brag about having turned weakness into strength.
This article is total nonsence, malware can only be resistant to the end user not downloading and clicking on and entering the admin password, why it deserves a slashdot mention is beyond me.
I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.
It's good to acknowledge this, since it's all that matters.
Everyone is always "on the path" to somewhere. For instance, everyone in the US is on the path to becoming billionaires. Every single person. Just ask them.
Likewise:
-GNU HURD is on the path to become the kernel for the GNU operating system.
-Enlightenment 0.17/E17 is on the path to a stable release.
-KDE 4 is on the path to a stable release.
-Paul Graham's Arc is on the path to become the next great programming language.
-Windows is on the path to being secure.
lol
People automatically assume it's a guy? That's chauvinistic.
Also, she has been head of security at Mozilla. I guess the summary didn't want to throw a third party into the debate.
http://www.usatoday.com/tech/news/computersecurity/2008-06-17-mozilla-window-snyder_N.htm
They can't "go back and fix it" because their customers are businesses that run their business on software that needs that old broken code to work. If they break comparability with those systems they'll be killing the golden goose.
I know! It certainly IS ironic that Microsoft would employ someone named Mwende!! L0lZ!!one
Yeah, good UNIX proven design
Like setuid servers (not!) where even simple bugs allow an attacker direct root access
Like the hopelessly inadequate me-us-world security coarse-grained security which requires proper ACLs to be bolted on top.
Like you cannot set up proper inheritance of security from parent folder, leading admins to design strange processes to wake up and chmod files.
Like the almighty root to rule them all. No separation of duties there. (Windows has proper separation of duties based on privileges. Even admin does not own all privileges, for instance the admin *cannot* write to or clear the security log).
Like the UNIX idea of a "token" which are just UIDs hard-wired to user accounts. (Windows has *real* process tokens which can be manipulated per process, e.g. stripping certain privileges from a process even if it runs under an admin account).
Windows security design is not perfect, but it is a god deal better designed and more capable than the "UNIX proven design". Why do you think SELinux was developed by the NSA? Because Linux with its "proven design" was woefully inadequate for government work - a task for which Windows is certified but only few Linuxes - those with SELinux).
We keep hearing about this "superior" Unix security design. But it is always referred to in the abstract with no details. Maybe it is some magical fairy or Apple dust?
Yes, a good admin can lock down a Linux with apparmor or SELinux pretty tight. Both apparmor and SELinus are solutions which compensates for the initial inadequate design.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
since microsoft is the dominant platform, most types of new attack vectors happen against windows
then the mac/unix/linux crowd laugh their asses off at how insecure windows is
meanwhile they quick produce security patches for the same vulnerability in their own systems
the biggest example of this would be the buffer overflow attack
yea for a lot of people it seemed exceedingly obvious you should be bounds checking
so when it cropped up in a number of microsoft tools / libraries everyone jumped on it
no-one mentioned that a number of bsd (mac), linux and unix utils had to be patched for the exact same thing
because that would be seen as being as bad a microsoft. so we don't speak about those.
overall microsoft is the dark knight in this one.
Given that Apple have now revealed themselves to be every bit as evil as Microsoft (as opposed to just wanna-be evil, as the more perceptive of you will have known for at least the past decade) it's not surprising that these two scum-infested megacorps are now talking.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
By old stuff they mean unpatched machines, not old components. If you've kept your machine up-to-date, both "new" and "old" stuff will be secure.
Plus, maybe it's because i'm a geek, but I have never gotten my Windows computer hacked and I haven't had a virus for the past 7 or so years...
so they hire some guy that used to work for MS, and possibly several other companies. So they use some methodology that MS uses, and possibly used by many other companies, so what, that does not make it an Apple learns off MS story, it's a 'we hired some guy' story. OFFS!
just pull together a couple of other people's stories, and get paid as a writer. The two stories that make up this article have been covered by /., and probably refer to 10.6 and not 10.7.
Lion is so secure it reports back to Apple everything you have stored on your computer. Instead of worrying about who is trying to break in (remember most corporate data loss happens from the inside) maybe people should be watching what apps like the "App Store" are doing and what information is leaving your computer. Try this, have a legal copy of lion downloaded on one mac. Go to the app store on another mac and it shows 29.99 then move the downloaded copy of lion to any folder on the mac that still shows the purchase price. Open the app store again and no longer will use see the option to purchase but it shows as installed. Now take it one step further. Remove the lion file again, open the store and it shows 29.99 again. Now take a usb drive attach it to your mac again. Copy lion dmg to the usb hard drive to any folder you would like to create. Go back to the app store and it shows as being installed again. This all with out making any preference changes to the app store or any other app. Apple is real time scanning your system and sending information back to Apple. They are also doing this with your entire iTunes library (icloud anyone). This is just something to thing about. I am sure all the Apple fan boys will defend Apple and slam me for this but I had everyone in my family get macs for the last 15 years so I would not have to fix their Windows machines. Even though I am a long time Linux user I did like macs but now I will not touch them or anything else Apple makes.
Because NEITHER Microsoft, Apple, or Linux (or others) ships their Operating Systems as SECURED AS THEY CAN BE, period!
Proof? Ok:
How come there is something called:
---
1.) The "CIS Tool" for Windows (& other OS' too)
2.) The Microsoft Baseline Security Advisor
3.) SeLinux
4.) Apple has a security guide also that pretty much follows the SAME DAMNED GENERAL GUIDELINES as what I do for Windows users here then:
http://www.apple.com/support/security/guides/
---
???
(Ask yourselves that... if these OS' are "So Secure" then...)
---
To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.
That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...
Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:
---
That gets testimonials like this after applying it:
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does ac
'It's taken Microsoft 10 years to turn security from a weakness into a strength"
The most ridiculous thing I've ever heard.
I had a great laugh!
Those infected Windows bot machines probably don't realize that security is now a strength of Microsoft.
I wonder if there are any studies that show the percentage of infected Macs vs the percentage of infected Windows machines vs the percentage of infected Linux machines.
Based on my anecdotal observations, I'm guessing the results will not have Microsoft shining for their security prowess. And if we're only looking at the latest OS'es, Win7 vs Lion, I'm guessing the results will be even worse for Redmond...unless they, or their PR firms, do the study.
Buffer overflow was a 1960s problem.
The software industry in general has a very short attention span but Microsoft really dropped the ball on that and many others where they could learn from the mistakes of the past. People are generally pissed off when they see something for sale that obviously has very little in the way of QC and large flaws in the design. The Zune leap year bug is another example of not taking the time to test for the completely and utterly fucking obvious.
People shake their heads because really stupid problems occur over and over again. If it happens in a small team writing an application as a hobby it's unprofessional. If it happens in a huge company with the vast resources of Microsoft it starts to head down the road to criminal negligence.
http://www.apple.com/ca/press/1997/08/AppleMicrosoft.html
No Operating System is secure right out of the box. At least with Linix/Unix there is a huge difference between the System admin and an ordinary user and it is fairly common for most people who use *nix (this include Apple's OS) to login as a normal user. Were MS Windows differ's is the fact that most people grant themselves System admin privilege right out of the box and that makes a MS Windows OS less secure then a *nix OS. Any user who is logged into a *nix machine as a system admin for non system admin work is IMHO an idiot and that opinion has not changed for over 30 years.
It is possible to use MS Windows without virus protection and never get viruses if you are careful but since MS Windows is more targeted than any *nix OS this can be quite hard. As for Microsoft educating end users, really!
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
The premise of this article is deeply flawed! Apple's products are is a *NIXs. Microsoft's are, well, Microsoft's.
Darwin is a BSD fork. It should take it's security cues from OpenBSD, not Microsoft. Apple excels at ease of use. OpenBSD shoves ease of use completely aside in favor of security. They both are excellent at what they do. Is Microsoft excellent at what they do? Are they excellent at security? Who is going to have more to teach in the real world that can be implemented tomorrow?
The only argument for a fit between Microsoft and Apple on this is that Microsoft has dealt with the behavioral issues of security. If you just spit your coffee at the screen then you know how I feel about that statement. Apple has NOTHING to learn from Microsoft about user experience and Microsoft has nothing to offer a *NIX that it can't get better (and with way less baggage) from OpenBSD.
Every rule has more than one consequence.
Are you sure you meant to write that?
Were MS Windows differ's is the fact that most people grant themselves System admin privilege right out of the box and that makes a MS Windows OS less secure then a *nix OS.
That hasn't been the case since XP. Sys admin level changes need elevated privileges just the same as on *nix systems.