Did you read the article? A lot of these flaws are in net-facing code like Safari or QuickTime. Arbitrary code execution due to a corrupted movie... well, there you go, that's an "instant malware by web browsing" attack right there.
An admin account solves nothing, btw. Not only are privilege escalation exploits numerous but you don't need root/administrator access to do most of the things botnets do.
The people who make the phones are typically not the same people as those who control call quality (which I guess is related to density/power of base stations). Why should they not add features when it's the operators problem to sort out reception issues?
The moment a user ever has to care about QT vs GTK+ and figure out why they are behaving a bit differently
They don't behave differently. At least, the differences are no worse than on the Mac or Windows where apps frequently reinvent the standard toolkit (*cough*Aperture).
or what the heck CUPS is
The only time a Linux user would have to care about this is if their printer isn't supported. And most are (albiet with varying degrees of driver quality).
The sort of people who want to play very fancy games will get a PC - the days when consoles could blow away a PC in terms of raw gaming power are long gone. The GPUs are all being made by ATI and nVidia these days, the processors are all slower than a high end dual-core AMD/Intel chip for most current not-terribly-parallel gaming code, and the game library is massive. You also have a keyboard/mouse which opens up gaming combinations consoles can't do (even with the Wiimote).
The current top of the range PCs already look a bit better than the PS3 demos that are being shown, and that gap will continue to widen as time goes by. Until the next generation of consoles come out and the gap closes again.
This does make you wonder - if somebody produced a games console that was basically a PC, was upgraded every 6 months, could play PC (Windows) games, but didn't expose the Windows-style interface and simply had a "insert disk, play" type UI would people buy it?
Apple isn't a PC maker, because if what they made were truly PCs MacOS would install on regular PCs as well. The fact that they are technically almost identical yet product tying is used says a lot about the success of the "end to end" model of design IMHO. If it was really so great, how comes they ended up simply selling PCs with an operating system?
Incidentally, I don't really like this market tying. Monopolies aren't allowed to do it because it's harmful and distorts the market, I don't see any reason why non-monopolies should be allowed to either...
Maybe they should address the cause of the problem first?
What cause would that be? Maybe employing humans? Or maybe the fact that they use C and C++ heavily?
Hmm, what other projects are written by humans and use C/C++ heavily? Oh right.... all the competitors! How many "arbitrary code execution" vulnerabilities has Firefox had in the past year? How many privilege escalation bugs has the X server had in the past year? How many has MacOS X had that haven't been fixed for months? How short is the "dump encrypted form data from Safari" sample code again?
If you ask me Microsoft is way, way ahead of the competition in its approach to malware by now. Yeah Windows isn't very secure but if you think Linux or MacOS are then you are thinking wishfully I. Even if there were no privilege escalation exploits - ever - having limited user rights will never cut the mustard in my view. People can be socially engineered too easily, and the lack of a decent secure GUI system makes any OS that requires entering administrator passwords problematic.
Look at how Vista has to bend over backwards to prevent programs interfering with the LAU password dialogs - this isn't proof of the superiority of the competition, but rather an indication that said competition isn't really battle hardened yet. Fiddling with password entry dialog boxes on Linux at least is childs play (and there are so many things you can do without admin access on the Mac it's hardly even necessary).
regarding innovation, have you even used a mac or an ipod?
LOL, yes I have. I've used many different versions of both.
Are you seriously claiming that the iPod, which entered into a market with many competing players, is innovative? The only remotely innovative thing about the iPod is perhaps the circular wheel interface. Using a hard disk isn't innovative, others were doing it before them, and "more storage" is hardly a cutting edge make-em-gasp idea is it?
As to the Mac, well, I covered this elsewhere. A Mac is a PC with a funny keyboard, and an OS that has windows, buttons, menu bars, a file manager, a web browser, Microsoft Office, a kernel and some bizarre design decisions (Mach-O anyone?). BORING! Almost all the "innovations" in MacOS X are simply evolutions of existing ways to do things. That doesn't mean it's bad, or unimportant, it just means that most of them could have been predicted by people extrapolating from current situations and trends. Apple were the first to use GL to composite the desktop - so what, this is just software optimization and it could have been easily predicted by looking at trends in video card design. Better searching on the desktop - no shit sherlock, I think anybody who used Google could have made a guess at that one.
But who could have predicted the Wii-mote? Not many people. Who could have predicted Expose? That one was neat.
Firstly, usability is an optimisation. It's not innovation. Microsoft - believe it or not - had massive usability testing programs long before OS X came out, as did many other pieces of software. The start button was given its "start" label because of usability tests. To claim that a focus on usability is innovation would be wrong, because other OS vendors were doing it in a serious way before Apple. Whereas until OS X most operating system vendors really paid little attention to eyecandy - the "battleship grey" Windows theme lasted, what, 6 years before being replaced by Luna? Which wasn't all that different - no animations for instance.
Secondly, you can argue that MacOS X is more usable than Windows, and I would take that argument and be the devils advocate, because having used both I think it's not so clear cut. If you drag an icon from the dock to the desktop, instead of moving from the dock to the desktop it vanishes in a puff of smoke. That is fucking scary. Other very questionable things include keys labelled with unpronouncable symbols and a menu bar that constantly moves around depending on the name of the program which currently has focus. And of course earlier versions were guilty of massive eyecandy abuse (toned down a lot in later revisions, which are mostly... battleship grey!)
What I liked even more than that was that Brentford rates as number 3 in the world, falling just behind.... Birmingham and Manchester. We Brits are a horny lot!
Mmmm hardly... Apple get great press but they aren't all that innovative, IMHO. They just build well engineered/designed things (on average.. QuickTime for Windows is crap).
Look at the Mac... these days hardware wise it's pretty much a PC in a white case. About as boring and uninventive as you can get. MacOS X looks nice but is just an evolution (or mashup) of existing systems. Its primary innovation was a focus on eyecandy. The most innovative feature I can think of in a Mac is Expose. The real innovation in operating systems takes place in things like Plan9, Singularity etc.
Nintendo meanwhile have not only bucked the conventional wisdom of their industry and totally changed their target market, they've also completely rethought how a games console should be designed... an equivalent would be Apple dumping the concept of a file from OS X, replacing the keyboard/mouse/screen triple with a unified touch screen, or replacing the concept of an application with discrete components that stream to the system on-demand a bit like web/flash apps do. The Mac is pretty boring as these things go, the fact it gets so much attention says more about the state of the mainstream OS industry than anything else.
Worthless, you often can't even identify what a piece of hardware is even if you have absolute freedom to choose whatever product you want (also often not true).
For instance I have a wireless card that I've never used, because it doesn't work with Linux. Yet on the website it had a picture of Tux! What went wrong here... oh yeah they changed the chipset but not the model number. False advertising yes, am I going to sue them over it, no.
Truth is there isn't really much leverage, at least in the desktop space. And where the "freeness" ends is poorly defined anyway. Did you know that the hardware microchips that power many peripherals are synthesised from a software-like description? At least one of those languages (Verilong or VHDL, I forget which) even looks a bit like C! If the drivers have to be open, then why not the hardware too... if you think people wouldn't demand that, well, they already want the firmware in some cases:/ The dividing line between the different bits of code that make up a hardware product is pretty much arbitrary.
seccomp prevents a program from doing anything useful at all except processing some data and writing it to a file descriptor. Great if all you want to do is do calculations on hunks of data (which is what it was designed for), completely useless for everything else.
Chris Lattner (now working on LLVM for Apple) has written some interesting papers on proving memory safety of C/C++ code which satisfies some very minimal requirements. If I understand his work correctly, "Memory safety" in this instance means you can prove that the software doesn't manufacture pointers into the middle of an object and start messing around inside it. It allows you to give the same guarantees that the JVM would give with respect to pointer usage, but for C.
If a kernel was scrubbed of unsafe constructs and then proven to be safe using these methods, would it be monolithic or microkernel? Arguably it would be neither. It would have some of the safety properties of the latter with the hardware properties of the former.
Framing kernel design in terms of the monolithic/microkernel debate is silly. It closes peoples minds. The only reason we even have kernels is because of the design of CPU hardware security. If you look at Lisp machines for instance they had a very different design.
The competition is engines like Havok FX which run on a graphics card and provide "effects physics". This requires very modern graphics hardware but not a special card. Presumably the downside is that the extra load on the GPU reduces framerates or graphics quality in some other way, but I don't know enough to say. It'll be interesting to see how it works out at any rate.
In all of my history as a US citizen, I have seen enough to beleive that the courts here are legit and fair. They are not perfect, but surely no one assumes that GB has perfect courts.
Your legal system is more than imperfect, it's an international disgrace - what joke of a legal system is simply ignored by politicians when convenient for them to do so? Answer: Americas. There are plenty of examples elsewhere in this thread.
If someone hacked GB's computers, I would expect them to be sent there for trial.
You might expect it but you'd be disappointed. IRA terrorists have a long history of fundraising in the United States, some of them are still there today, yet they will not be extradited as the US simply does not do that. Incidentally the US govt was implicitly supporting terrorism in this way for a long time.
McKinnon, whatever he believes, should not be tried in the US. It wouldn't be safe, and he would certainly be unfairly treated by an administration that is way, way out of control.
The singleplayer mode isn't the draw of many gamers today. People want to go online and interact with other people.
That's a nice theory but it seems that Spore is a single player game.
I like to make a CD image for games... is that so bad?
No, it isn't bad. But you also aren't entitled to it.
Let's put this another way. It is inconvenient for me that when I buy something in a busy store I must wait in a queue to pay at the counter. It would be much simpler if I could simply throw the right money into a bucket and walk out. Why do they not let me do that? Why do they try and arrest me if I do this?
Well, uhm, when put like this it becomes obvious - you aren't allowed to do that because so many people would abuse it. By requiring you to pay at the counter, they can cut down on the numbers of people who accidentally forget to throw money in the bucket.
Likewise, it may be inconvenient for you to take care of your CD and put it in the drive, however, the people who made the game would rather you did so anyway because if it were optional a lot of people would accidentally download an image off BitTorrent and run it through an emulator.
A few minutes on Google reveals another theory (I love this one...)
The "Project for a New American Century" has a stated goal of having America take over the world. Its members believe that the world is best served with America in charge (I shit you not, these "neocons" exist and many actually work for the US administration).
Upon discovering "free energy" (often claimed to be some variant on zero point energy) by reverse engineering crashed UFOs, the technology was classified, simply because in the aftermath of WW2 and at the beginning of the Cold War it was the easiest route to take, plus, it would have given the US an advantage over the Soviets which might have been a useful last-ditch strategy.
As the threat of the cold war receded US policymakers realised that the world was dependent on oil. Much money was being made, however perhaps more important than that was the fact that the US did not control the worlds oil supply, rather, OPEC did and these meddlesome non-Christian Middle Eastern countries were rather in the way of the New American Century - but there was nothing that could be done. Or was there?
Fast forward to 2015. Oil prices are at $300/barrel, transport is disintegrating, famines sweep the Earth, a stable grid supply is a luxury. Into the chaos steps The United States with its free energy devices, carefully controlled and secured by the military. Not only does it save the world, but it also [re-]establishes America as the only superpower, completely in control of other nations via its energy monopoly. Mission accomplished.
How does a moderator prove they are in fact a legit human and not a bot?
I foresee a time when to access large parts of the net you will be required to use some central "proof of life" system. The current mish-mash of captchas isn't working. We have custom English captchas on a forum I admin and it doesn't seem to stop the bots: presumably when they get stuck they call for help.
It's hard to believe a third of Googles index is auto-generated crap, but then I couldn't really believe the "50% of net traffic is spam or viruses" claim either and I'm pretty sure that one turned out to be true. It appears that an unregulated commons will always degenerate into a wasteland without some form of governance and law enforcement; perhaps rather than an arms race the only solution is for the internet to grow its own legal system and police force (how that'd work is left as an exercise to the imagination)
FYI, it costs about 50.000 $ for a medium sized project (500.000 lines)
Yes it's incredibly expensive. Yet, plenty of well known companies pay for it, so I suspect it's worth it to them.
is no more than a lint on steroids.
Er, no. No, no, wrong, no.
I've got access to the Coverity results for WineHQ. It's already found many problems that evaded both manual code review and unit testing. Its rate of false positives is remarkably low once properly configured. A lot of these problems would only occur in obscure circumstances or on error paths - but these are precisely the kind of errors that unit testing tends not to reveal. It can detect problems like race conditions or memory leaks that lint cannot. The recent X security bugs were revealed by the tool first.
I've seen tools like this before, but not one as good as this. I've never used competing commercial products, so cannot speak as to their effectiveness, but for a large C++ codebase I would certainly be happy to have such a tool helping me out.
Microsoft have used similar programs developed by MS Research on the Windows codebase for some time now and they're apparently very effective. Quite a lot of security problems revealed by them were silently fixed along with other problems in updates.
None of this tools is a mach for a manual audit performed by a professional.
Totally wrong. Every patch that gets checked into Wine passes code review by at least Alexandre who is without question the best programmer I've ever met. He is easily as good as Linus but his much quieter and more conservative personality means he doesn't get Linus' press attention (a good thing, imo). And all the patches are posted to a public mailing list where several other people can and do review patches too.
Static analysis can reveal problems that simply don't get spotted by the human eye because they're too complicated to follow, because they occur in very weird situations, or because the code evolves over time under the direction of many different people and inconsistencies creep in.
The funny thing is, just like most software is on Windows because people are too set in thier ways to learn OS X programming, so to are virus writers pretty comfortable with what they can do on Windows and don't want to really do much extra work. So macs are proteced by an inertia that should keep them pretty safe long after some arbitrarily large threshold of marketshare is reached.
That's a pretty astonishing theory, and I don't believe it. We've already seen spyware that attacks Firefox, and it started at the about the 10% boundary. I see no reasons why virus writers, who as you say are in it for the money, would pass up the opportunity to get on up on their competitors by ignoring the Mac.
I also don't see anything in the Mac that makes it technically more resistant to viruses than Windows. You don't need administrator access to do many of the things viruses/bots usually do, and the security system it inherited from FreeBSD is basically all they've got.
Given that stock Linux, MacOS X and Windows are all equally crappy when it comes to security, all with "bolt-on" security systems designed in the 70s for a totally different threat model, I would be very hesitant with making any claims that Macs are more secure than PCs (which basically means MacOS is more secure than Windows). Right now they ALL suck! Apple have had more than their fair share of stupid exploits, often ones which worked in the same way as Windows exploits released months or years before.
I'm putting my hopes in MAC security frameworks like SELinux and AppArmor... I'm itching to get some spare time so I can experiment with hardening a system against malware/viruses/spyware threat profiles using them. My dissertation was on security, there's a whole lot more work that needs to be done before yet.
I think this idiotic campaign will come back and them on the arse. Just like they used to claim Mac hardware was sooooooo "superior" and now basically sell PCs with a different OS and a different box, unless they come out with radical changes to MacOS and radical new research results they'll have to backpedal pretty badly in future.
Yeah, I found that later whilst looking for "j2me vulnerability" on google:) Suffice it to say, the researcher in question had to spend 4 months reverse engineering his phones OS to make it do anything interesting... whilst it's deeply worrying that Sun haven't published ANYTHING about this exploit and so there's no way to know if it's fixed, I don't think there's any serious danger from it right now.
Slashdot Mirror
BeOS had no exploits for it despite having no security system at all (not even multi-user support). Did they do their job just fine then?
An admin account solves nothing, btw. Not only are privilege escalation exploits numerous but you don't need root/administrator access to do most of the things botnets do.
The people who make the phones are typically not the same people as those who control call quality (which I guess is related to density/power of base stations). Why should they not add features when it's the operators problem to sort out reception issues?
They don't behave differently. At least, the differences are no worse than on the Mac or Windows where apps frequently reinvent the standard toolkit (*cough*Aperture).
or what the heck CUPS is
The only time a Linux user would have to care about this is if their printer isn't supported. And most are (albiet with varying degrees of driver quality).
The current top of the range PCs already look a bit better than the PS3 demos that are being shown, and that gap will continue to widen as time goes by. Until the next generation of consoles come out and the gap closes again.
This does make you wonder - if somebody produced a games console that was basically a PC, was upgraded every 6 months, could play PC (Windows) games, but didn't expose the Windows-style interface and simply had a "insert disk, play" type UI would people buy it?
Incidentally, I don't really like this market tying. Monopolies aren't allowed to do it because it's harmful and distorts the market, I don't see any reason why non-monopolies should be allowed to either ...
What cause would that be? Maybe employing humans? Or maybe the fact that they use C and C++ heavily?
Hmm, what other projects are written by humans and use C/C++ heavily? Oh right .... all the competitors! How many "arbitrary code execution" vulnerabilities has Firefox had in the past year? How many privilege escalation bugs has the X server had in the past year? How many has MacOS X had that haven't been fixed for months? How short is the "dump encrypted form data from Safari" sample code again?
If you ask me Microsoft is way, way ahead of the competition in its approach to malware by now. Yeah Windows isn't very secure but if you think Linux or MacOS are then you are thinking wishfully I. Even if there were no privilege escalation exploits - ever - having limited user rights will never cut the mustard in my view. People can be socially engineered too easily, and the lack of a decent secure GUI system makes any OS that requires entering administrator passwords problematic.
Look at how Vista has to bend over backwards to prevent programs interfering with the LAU password dialogs - this isn't proof of the superiority of the competition, but rather an indication that said competition isn't really battle hardened yet. Fiddling with password entry dialog boxes on Linux at least is childs play (and there are so many things you can do without admin access on the Mac it's hardly even necessary).
LOL, yes I have. I've used many different versions of both.
Are you seriously claiming that the iPod, which entered into a market with many competing players, is innovative? The only remotely innovative thing about the iPod is perhaps the circular wheel interface. Using a hard disk isn't innovative, others were doing it before them, and "more storage" is hardly a cutting edge make-em-gasp idea is it?
As to the Mac, well, I covered this elsewhere. A Mac is a PC with a funny keyboard, and an OS that has windows, buttons, menu bars, a file manager, a web browser, Microsoft Office, a kernel and some bizarre design decisions (Mach-O anyone?). BORING! Almost all the "innovations" in MacOS X are simply evolutions of existing ways to do things. That doesn't mean it's bad, or unimportant, it just means that most of them could have been predicted by people extrapolating from current situations and trends. Apple were the first to use GL to composite the desktop - so what, this is just software optimization and it could have been easily predicted by looking at trends in video card design. Better searching on the desktop - no shit sherlock, I think anybody who used Google could have made a guess at that one.
But who could have predicted the Wii-mote? Not many people. Who could have predicted Expose? That one was neat.
Really, I didn't.
Firstly, usability is an optimisation. It's not innovation. Microsoft - believe it or not - had massive usability testing programs long before OS X came out, as did many other pieces of software. The start button was given its "start" label because of usability tests. To claim that a focus on usability is innovation would be wrong, because other OS vendors were doing it in a serious way before Apple. Whereas until OS X most operating system vendors really paid little attention to eyecandy - the "battleship grey" Windows theme lasted, what, 6 years before being replaced by Luna? Which wasn't all that different - no animations for instance.
Secondly, you can argue that MacOS X is more usable than Windows, and I would take that argument and be the devils advocate, because having used both I think it's not so clear cut. If you drag an icon from the dock to the desktop, instead of moving from the dock to the desktop it vanishes in a puff of smoke. That is fucking scary. Other very questionable things include keys labelled with unpronouncable symbols and a menu bar that constantly moves around depending on the name of the program which currently has focus. And of course earlier versions were guilty of massive eyecandy abuse (toned down a lot in later revisions, which are mostly ... battleship grey!)
What I liked even more than that was that Brentford rates as number 3 in the world, falling just behind .... Birmingham and Manchester. We Brits are a horny lot!
Look at the Mac ... these days hardware wise it's pretty much a PC in a white case. About as boring and uninventive as you can get. MacOS X looks nice but is just an evolution (or mashup) of existing systems. Its primary innovation was a focus on eyecandy. The most innovative feature I can think of in a Mac is Expose. The real innovation in operating systems takes place in things like Plan9, Singularity etc.
Nintendo meanwhile have not only bucked the conventional wisdom of their industry and totally changed their target market, they've also completely rethought how a games console should be designed ... an equivalent would be Apple dumping the concept of a file from OS X, replacing the keyboard/mouse/screen triple with a unified touch screen, or replacing the concept of an application with discrete components that stream to the system on-demand a bit like web/flash apps do. The Mac is pretty boring as these things go, the fact it gets so much attention says more about the state of the mainstream OS industry than anything else.
When can we get a return to the Indiana Jones adventure games of the nineties? Bring back Fate of Atlantis!
For instance I have a wireless card that I've never used, because it doesn't work with Linux. Yet on the website it had a picture of Tux! What went wrong here ... oh yeah they changed the chipset but not the model number. False advertising yes, am I going to sue them over it, no.
Truth is there isn't really much leverage, at least in the desktop space. And where the "freeness" ends is poorly defined anyway. Did you know that the hardware microchips that power many peripherals are synthesised from a software-like description? At least one of those languages (Verilong or VHDL, I forget which) even looks a bit like C! If the drivers have to be open, then why not the hardware too ... if you think people wouldn't demand that, well, they already want the firmware in some cases :/ The dividing line between the different bits of code that make up a hardware product is pretty much arbitrary.
seccomp prevents a program from doing anything useful at all except processing some data and writing it to a file descriptor. Great if all you want to do is do calculations on hunks of data (which is what it was designed for), completely useless for everything else.
If a kernel was scrubbed of unsafe constructs and then proven to be safe using these methods, would it be monolithic or microkernel? Arguably it would be neither. It would have some of the safety properties of the latter with the hardware properties of the former.
Framing kernel design in terms of the monolithic/microkernel debate is silly. It closes peoples minds. The only reason we even have kernels is because of the design of CPU hardware security. If you look at Lisp machines for instance they had a very different design.
The competition is engines like Havok FX which run on a graphics card and provide "effects physics". This requires very modern graphics hardware but not a special card. Presumably the downside is that the extra load on the GPU reduces framerates or graphics quality in some other way, but I don't know enough to say. It'll be interesting to see how it works out at any rate.
Your legal system is more than imperfect, it's an international disgrace - what joke of a legal system is simply ignored by politicians when convenient for them to do so? Answer: Americas. There are plenty of examples elsewhere in this thread.
You might expect it but you'd be disappointed. IRA terrorists have a long history of fundraising in the United States, some of them are still there today, yet they will not be extradited as the US simply does not do that. Incidentally the US govt was implicitly supporting terrorism in this way for a long time.
McKinnon, whatever he believes, should not be tried in the US. It wouldn't be safe, and he would certainly be unfairly treated by an administration that is way, way out of control.
That's a nice theory but it seems that Spore is a single player game.
No, it isn't bad. But you also aren't entitled to it.
Let's put this another way. It is inconvenient for me that when I buy something in a busy store I must wait in a queue to pay at the counter. It would be much simpler if I could simply throw the right money into a bucket and walk out. Why do they not let me do that? Why do they try and arrest me if I do this?
Well, uhm, when put like this it becomes obvious - you aren't allowed to do that because so many people would abuse it. By requiring you to pay at the counter, they can cut down on the numbers of people who accidentally forget to throw money in the bucket.
Likewise, it may be inconvenient for you to take care of your CD and put it in the drive, however, the people who made the game would rather you did so anyway because if it were optional a lot of people would accidentally download an image off BitTorrent and run it through an emulator.
MySpace is in fact littered with fake profiles that appear to be real people but are actually advertising products or link spamming.
I foresee a time when to access large parts of the net you will be required to use some central "proof of life" system. The current mish-mash of captchas isn't working. We have custom English captchas on a forum I admin and it doesn't seem to stop the bots: presumably when they get stuck they call for help.
It's hard to believe a third of Googles index is auto-generated crap, but then I couldn't really believe the "50% of net traffic is spam or viruses" claim either and I'm pretty sure that one turned out to be true. It appears that an unregulated commons will always degenerate into a wasteland without some form of governance and law enforcement; perhaps rather than an arms race the only solution is for the internet to grow its own legal system and police force (how that'd work is left as an exercise to the imagination)
Yes it's incredibly expensive. Yet, plenty of well known companies pay for it, so I suspect it's worth it to them.
Er, no. No, no, wrong, no.
I've got access to the Coverity results for WineHQ. It's already found many problems that evaded both manual code review and unit testing. Its rate of false positives is remarkably low once properly configured. A lot of these problems would only occur in obscure circumstances or on error paths - but these are precisely the kind of errors that unit testing tends not to reveal. It can detect problems like race conditions or memory leaks that lint cannot. The recent X security bugs were revealed by the tool first.
I've seen tools like this before, but not one as good as this. I've never used competing commercial products, so cannot speak as to their effectiveness, but for a large C++ codebase I would certainly be happy to have such a tool helping me out.
Microsoft have used similar programs developed by MS Research on the Windows codebase for some time now and they're apparently very effective. Quite a lot of security problems revealed by them were silently fixed along with other problems in updates.
Totally wrong. Every patch that gets checked into Wine passes code review by at least Alexandre who is without question the best programmer I've ever met. He is easily as good as Linus but his much quieter and more conservative personality means he doesn't get Linus' press attention (a good thing, imo). And all the patches are posted to a public mailing list where several other people can and do review patches too.
Static analysis can reveal problems that simply don't get spotted by the human eye because they're too complicated to follow, because they occur in very weird situations, or because the code evolves over time under the direction of many different people and inconsistencies creep in.
That's a pretty astonishing theory, and I don't believe it. We've already seen spyware that attacks Firefox, and it started at the about the 10% boundary. I see no reasons why virus writers, who as you say are in it for the money, would pass up the opportunity to get on up on their competitors by ignoring the Mac.
I also don't see anything in the Mac that makes it technically more resistant to viruses than Windows. You don't need administrator access to do many of the things viruses/bots usually do, and the security system it inherited from FreeBSD is basically all they've got.
Given that stock Linux, MacOS X and Windows are all equally crappy when it comes to security, all with "bolt-on" security systems designed in the 70s for a totally different threat model, I would be very hesitant with making any claims that Macs are more secure than PCs (which basically means MacOS is more secure than Windows). Right now they ALL suck! Apple have had more than their fair share of stupid exploits, often ones which worked in the same way as Windows exploits released months or years before.
I'm putting my hopes in MAC security frameworks like SELinux and AppArmor ... I'm itching to get some spare time so I can experiment with hardening a system against malware/viruses/spyware threat profiles using them. My dissertation was on security, there's a whole lot more work that needs to be done before yet.
I think this idiotic campaign will come back and them on the arse. Just like they used to claim Mac hardware was sooooooo "superior" and now basically sell PCs with a different OS and a different box, unless they come out with radical changes to MacOS and radical new research results they'll have to backpedal pretty badly in future.
Doesn't matter, hefty punishments will discourage others from trying it .
Yeah, I found that later whilst looking for "j2me vulnerability" on google :) Suffice it to say, the researcher in question had to spend 4 months reverse engineering his phones OS to make it do anything interesting ... whilst it's deeply worrying that Sun haven't published ANYTHING about this exploit and so there's no way to know if it's fixed, I don't think there's any serious danger from it right now.