Feeds

back to article Security biz scoffs at Apple's anti-Trojan Gatekeeper

Security watchers are expressing reservations about whitelisting security that Apple plans to integrate with OS X Mountain Lion this summer. The security feature, dubbed Gatekeeper, restricts the installation of downloaded applications based on their source. Users can choose to accept apps from anywhere (as now) but by default …

COMMENTS

This topic is closed for new posts.

Page:

Looks more like Apple locking people into the app store to me

Yet again Apple try and stop users getting their own software.

In context. MS get forced to show other browsers are available instead of IE which is built in. Yet no such change for apple/safari and when they lock the systems down more to only allowing signed or app store applications, the more they corner the market. One rule for everyone and a 'special' rule for Apple.

18
11

Big corner, tiny market

Whereas a big chunk of the world runs on Microsoft products, and has done for years -- you know, stuff like governments, companies big enough to matter, and like that.

Apple can lock its platform down so tight that you can't install anything, Apple-blessed or otherwise, without getting Steve Jobs (RIP) to personally sign on the line -- and, excepting coffee-shop denizens and colored-pencil pushers, who's it going to hurt, really? (The three or four old bearded hackers who use Macbooks don't count; they can run what they damn well please, not least because if it doesn't behave how they like then they'll just gut it down to the kernel and rebuild it to suit them anyway.)

3
10
Silver badge

Re: Looks more like Apple locking people into the app store to me

Microsoft was forced to offer other web browsers because they had a monopoly that was damaging the market. While that case could be made with Apple's lock in to the app store no one has done so yet. Besides Apple doesn't come close to the dominance of Microsoft in the desktop/laptop market in any of their markets, not even the tablet market.

Furthermore, Microsoft was opposed by the likes of Google and Mozilla, which could affford lawyers on par with the MS legal team, in that case. The only people likely to challenge the walled garden are independant developers and jailbreakers. These people have neither the political pull nor the resources to hire good legal teams that the big corporations have.

It'd be nice if Apple users were allowed to easily tear down the walls of the garden should they choose, but I don't see it ever happening.

0
5

This post has been deleted by its author

Anonymous Coward

Re: Looks more like Apple locking people into the app store to me

It actually seems like common sense, the weakest link to malware of any kind in the human being.

You can have the best security, AntiVirus, anti malware program on you pc but klick on or drive by the wrong page and you get stuffed. Hence none of my parents, and in laws have administrator privileges any more, I was fed up having to sort their computers out. No problems for a year now.

The new Apple system will be great for those sorts of people, OAP's, the illiterate, fanbois, the computer know it alls, the socially disfunctional etc.. it will keep them out of trouble.

Until they find the overide, can that be hidden too?

2
0
Pirate

Re: Looks more like Apple locking people into the app store to me

what a nonsense article.

There is NOTHING here to lock you down, just a select box to allow the user to pick a setting. BIG NEWS!!

OS X will never be locked down like iOS.

And if you want to talk about locked down, how come no-one ever said windows was locked down because it only allows me install windows apps. I want it to run my mac & *nix apps and it wont. Bloody M$ and their walled garden ! what a load of Crap.

interesting that the companies who say this is bad are the ones who stand to lose financially.

stop talking crap guys. Its only a setting that can be easily changed. I know I would set it to App store only on my kids / idiot families Macs so I have one level of worry less with them.

4
16

Re: Re: Looks more like Apple locking people into the app store to me

I agreed with you right up until

And if you want to talk about locked down, how come no-one ever said windows was locked down because it only allows me install windows apps. I want it to run my mac & *nix apps and it wont.

and from then on your comment was tainted by the outright idiocy in the above. What Apple are (accused of) trying to do is to implement a system that ensures that software written for the Mac won't run unless they've approved it. I don't think this is actually the case (defending Apple? I'll get myself checked out by the Doc tomorrow!) but it's very different to 'My Mac App won't run on Windows"

And unless things have changed dramatically, I suspect you'd also have problems running your Windows Apps on Macs without a bit of software in between.

The thing that makes me laugh is the observations of the security guy - You can still run files from disk, network shares etc. To me it reads as if Apple are trying to protect the idiots from themselves whilst minimising the hassle for other use. Yet to see scareware served over the LAN but YMMV

6
0
Vic
Silver badge
Joke

Re: Re: Looks more like Apple locking people into the app store to me

> I want it to run my mac & *nix apps and it wont.

Not discovered cygwin yet, then?

Vic.

3
1
Childcatcher

Re: Re: Re: Looks more like Apple locking people into the app store to me

Hi Ben

I have to admit a bit of tongue in cheek with that part of my post. Just highlighting how completely ridiculous people get with their arguements for/against certain things.

I happen to like the 'walled garden' idea on my phone. I have yet to think of an App that i couldnt find in the App Store that i 'really' need and i consider myself a power user.

I am happy that i am quite safe though.

Its all fine getting a virus on your computer and it spewing out spam. Cost = zero (and yes i know,it can be more if it gets access to password etc, but for this example i am just identifying one issue)

But on my phone, if i get something that , the texts/calls to premium can cost me.

So a phone should be more guarded.

and anyone who hates the walled garden, then answer is simple... just find a different phone, no big deal :)

2
1
Vic
Silver badge

Re: Re: Re: Re: Looks more like Apple locking people into the app store to me

> Its all fine getting a virus on your computer and it spewing out spam.

No it bloody isn't.

Vic.

1
0
Gold badge

Re: Re: Re: Looks more like Apple locking people into the app store to me

It's not about preventing apps that aren't signed, it just alerts and warns you about those that aren't.

Windows Vista, 7 and Server 2008 do this. You can switch off such warnings.

Wasn't Microsoft going to prevent the loading device drivers they hadn't approved also? it's more or less the same thing. It's about trust and stability.

0
0
FAIL

Re: Looks more like Apple locking people into the app store to me

Um...you do realize that developers can codesign their own apps, right? And that code signing is free? And doesn't require going through the Mac App Store? And that it takes about a minute to do?

It's really not that big a deal, and I say this as a Mac app developer whose apps can not be sold through the MAS. Signing an app allows it to be run from any source without triggering Gatekeeper.

0
0
jai
Silver badge

triggering a prompt

sounds like Wisniewski is very much a fan of Windows prompts "i see you've moved the mouse, are you sure you want to do that?" and the like.

This isn't so much about Apple stopping trojans from entering your mac, you still need to be careful about that.

But this is about Apple stopping virus writers from using Apple's tools to write and distribute their malware. It gives Apple a killswitch to deactivate any developer who suddenly goes rogue.

Then again, the worry is that the developer id code becomes compromised and suddenly legit apps are being killed because some hacker reverse engineers Adobe's id code.

3
9
Anonymous Coward

He?

Welcome to your new world...

1
0
Anonymous Coward

Security biz scoffs at Apple's anti-Trojan Gatekeeper

Because it shows how useless their useless software is.

'Waahhh! But we wanna scare punters into buying our useless crap"

7
6
Anonymous Coward

Stupid Nergatron

You fool

You slagged off anti virus software vendors in an anti apple thread. Ordinarily you'd be voted up, but sadly not this time.

A whitelist is proactive, whereas a blacklist is reactive and that's all that anti virus scaremongers have got.

Whitelists are the way forward, but if apple do it, then it's very bad indeed

3
0
Joke

Trademarks @ Dawn

"Computer security historians would be interested to note that 20 years ago there was an anti-virus program for Mac, also called Gatekeeper. The software, developed by independent programmer Chris Johnson, was shelved many years ago."

Hope they've determined whether or not they need to buy the rights to use the name. Otherwise the marketing department needs to be rebranded "iShouldHaveChecked"

4
2
Devil

Protecting...

.. the stupid from themselves.. like those gullible Mac owners who were duped into installing that "Mac Defender" Trojan last year

Gatekeeper will probably make most savvy Mac users think twice about 'upgrading' to Mountain Lion

As for me, well I still run 10.6.8 and haven't had any Trojans jump aboard this system... and I find that there are lost of good non Apple endorsed applications out there that are quite safe.

It seems as if Apple may be a little paranoid now that [reports of] more home users are buying Macs. How sad..

3
2
Silver badge

Re: Protecting...

I'm quite savvy, why would a feature I can disable at any time make me think twice about upgrading...

3
0
Stop

Re: Protecting...

"Gatekeeper will probably make most savvy Mac users think twice about 'upgrading' to Mountain Lion"

Oh really? How do you figure that, given that a savvy Mac user can turn it off in Mountain Lion with one click of a radio button?

Now, maybe it would make them think twice about upgrading to the one after Mountain Lion. You know, the one where everybody knows that Apple will suddenly reveal their plan all along was to lock down the Mac into a walled-garden and that all of the previous statements to the contrary made by Jobs, Cook et al were just misdirection and lies. I don't see that happening, personally, but either way the time to cross that bridge is when we get to it, or at least not before we've crossed the previous bridge with another 2 years to go.

2
0
Facepalm

Re: Protecting...

How do you know you have no Trojans?

Is that not the point of a Trojan that you don't know it is there until it is too late? Perhaps you have never connected it to a network or used any sort of disk, is the Mac still in its box?

1
1
K
Bronze badge
Coat

revoking third-party peripheral drivers in order to 'secure' that experience

Device compatibility and driver availability is poor at best... so Apple, please do tighten the screws furthers on an already miserable market :)

Ding dong, the bells are crashing.. nope, thats MacOS sounding its death bells (oh I dream of the day!)

5
8
Alert

People with a massive...

...interest in FUD spread FUD, you say?

2
0

Love the "expert" commentary here

Look, grandma is tired of viruses and the like. She wants something to email the kids and see pictures on. She doesn't care about kernel hacking and getting some home made gizmo to work. Few people care about anything under the hood. They just want it to work and catering to them, the 95%, makes far more sense. This stuff has to be as simple and dumbed down as TV or it just won't fly.

10
1

Re: Love the "expert" commentary here

You do realize no one in the Reg comments is going to be even slightly at home to this sort of excellent good sense, do you?

2
2
Thumb Up

Re: Love the "expert" commentary here

Completely agree - except, have you noticed how complicated TVs are becoming these days? My wife can barely change channels these days, let alone play a VHS tape.

0
1

Re: Re: Love the "expert" commentary here

Are you sure? I mean, mine claims not to be able to either, but that's just because she'd rather I be the one to get up and stuff the tape in the slot.

0
0
Silver badge
Joke

@Aaron Em

Beavis: Hur hur, he said "stuff the tape in the slot"

2
0
Joke

Re: Re: Love the "expert" commentary here

Who the hell is developing more and more complicated VHS-based systems? Maybe she should just buy some iTape so she doesn't have to look at the TV.

0
0
Thumb Up

Re: Love the "expert" commentary here

That is exactly why Apple are doing this, they want to help Grandma. It has nothing to do with wanting to charge OSX developers to get 'whitelisted'.

2
0
Facepalm

Re: Re: Love the "expert" commentary here

"It has nothing to do with wanting to charge OSX developers to get 'whitelisted'."

UNLIKE Microsoft, who managed to hose themselves by GOUGING their developers with certificate fees for 64-bit Vista. Developers ignored MS. 64-bit Vista suffered from having very few drivers. MS saw the error of their ways and stopped their fee parasitism in time for 64-bit 7ista.

Apple developers simply set up their own digital signature, no fee. Apple only revokes their trusted status when their software is proven to be dangerous or malware. The only problem here is the delay between initial net infection and revocation.

1
1
Bronze badge
Happy

Re: Re: Love the "expert" commentary here

Well after our VHS player broke many moons ago, we purchased a very good little had disk based recorder (a PACE). 6 months later (having been using it regularly) my missus did ask me how to change the tape.... The user experience was obviously so good that the transition had been seamless until....

0
0

Re: Love the "expert" commentary here

Obviously it's good for granny.

The worry is for business users if it does indeed lead to an iOS level of control freakery.

0
0
Bronze badge
Facepalm

Flaw in your logic

So what prevents a malware author just creating lots of certificates and distributing their malware under all of them? That's the fundamental issue with "cheap" or "free" certificates, without a certificate authority that performs proper identity checks they're pretty much useless.

0
0

Re: Re: Re: Love the "expert" commentary here

There is a fee. To get a signature you must be a registered Apple developer which costs 99dollars a year. In Microsoft's case, a driver is in a much better position to compromise a computer than a general app. A fee for signing deters would be hackers.

0
0
Silver badge

Well this article sure is balanced

It shows the hysterical paranoia from both sides - its a step towards locking down everything AND it doesn't lock down enough. Geez.

4
0
Silver badge
Stop

Real *nix experts I see

Completely ignoring the fact that software on USB drives, CD/DVD/BR, network shares etc. WON'T just install without being screened. All software requires raised privileges to install and will cause a prompt for an admin account and password.

What's more code signing means that having been installed rogue software may be remotely killed by revoking it's certificate.

3
0

Re: Real *nix experts I see

"All software requires raised privileges to install..."

There are two scenarios to consider:

1) The 'LUSER' Factor: Computer administrators want to lock down the Macs of those most likely to click Phishing links, download and install malware, send money to Nigeria, etc. Potentially dangerous users are not given the Administrator password, are not given privileges to install ANYTHING. However, with Gatekeeper and administrator can lock the setting to only allow downloading from the Apple Mac Store, which just about guarantees safe software. That's a nice compromise.

2) The Sloppy Administrator: We know there are plenty of Mac owners who do everything inside administrator accounts and also do dopey stuff on the Internet. We know that the iServices botnet had at one point over 10,000 botted Macs, all of which were infected by way of installing hacked Warez/Torrent versions of Mac applications, including iWork and Photoshop. These people are going to be vulnerable whether they download this malware or copy it over from external media. Obviously some of them also downloaded and installed bad copies of the Flash installer from fraudulent sources, causing the minor Flashback malware war with Apple this past year. Clearly Apple is making a good effort to help the hapless. But the only total cure for sloppiness would of course be a Real-Time anti-malware scanner, infamous for bogging down Windows boxes. That's not going to happen from Apple.

0
0
Stop

Re: Real *nix experts I see

"All software requires raised privileges to install and will cause a prompt for an admin account and password."

Not true. It depends on the type of installation. If the software is a .pkg and requires the installer, then the developer controls where it gets installed. If this is the main /Applications folder, then all is fine.

BUT, if the installer allows for the choice of a single user install (like for a Pref Pane) or if the software is a plain drag n' drop install (like VLC), then there is *nothing* to stop a user installing it in their home folder if they wish. OK, so the software could only run with user privileges, but there still a fair amount of havoc that can still be caused.

I'm in favour of a whitelisted model, as long as Apple are still happy to hand out certs to developers for a nominal fee, as in the $99 one currently. It'd be a real shame to have the excellent software choice for Mac, and there's some really great small devs doing excellent work, just because Apple doesn't want it to get like Windows.

0
0
Anonymous Coward

So does this mean..

That Opensource software will need to go through Apples walled garden?

0
1
Holmes

Re: So does this mean..

Of course not

You can still install anything from anywhere

Anything that runs under X11 will continue to run for example. Though you will have to install X11 separately You forget that a great deal of gear that apple uses as it's default install is open source.

Mach Kernel, Darwin, CUPS, Webkit etc.

Here's 200 other open source projects that apple supports

http://www.apple.com/opensource/

and here's a dev link

https://developer.apple.com/opensource/

3
0
Silver badge

Or Alternatively

you can get your code signed, and still stay out of the mac store.

Is making sure software is coming from where you think its coming from really such a bad thing?

3
0
Thumb Up

Re: Re: So does this mean..

"Here's 200 other open source projects that apple supports"

Actually, the number is closer to 300 and growing. Apple initiated and sponsors quite a few of those open source projects. Most recently Apple donated their Apple Lossless audio format into open source.

1
0
Thumb Down

I wonder how long.....

it will be before Apple slams the roof on their walls, turning the garden into a mushroom factory, forcing their vict^H^H^H^Hcustomers to buy all the software through the Apple store, thus ensuring a guaranteed income stream from the 30% they force the sellers to fork over.

Thak smeg that I have managed to avoid being sucked in by the shiny, thus being able to chose what I install on my computer, rather than having my choice limited by a monopolostic, avaricious company hell bent on forcing everyone to do it the way the company want.

Freedom of choice

is what I got

Freedom of choice

is what I want

(Apologies to Devo)

0
3
Windows

Re: I wonder how long.....

"Thak smeg that I have managed to avoid being sucked..."

Then let's hope you don't use Windows either and live entirely on Linux or real UNIX. Otherwise, I reserve the right to ROTFLMAO at you.

And just to freak you out: Mac OS X is certified real UNIX. I regularly run XWindows apps on it.

2
0
Anonymous Coward

@Derek Currie, Grammar Nazi comment

I think they fume at "X Windows" and insist on "X Window".

0
0

Re: Re: I wonder how long.....

Actually, Mr Smartypants, at home I use both Windows and Linux.

I use Windows for the thing it is best at, namely gaming, and I use Linux for pretty much everything else. I just wish I had the choice to use Linux at work, but unfortunately my employer is firmly entrenched in Microsoft's inefficient bloatware.

0
0
WTF?

Isn't the point that Apple should be praised for allowing non-App Store apps to be signed? The alternative to Gatekeeper is that App Store apps can be installed without a warning, and *all* other apps display a "warning, this application is from an untrusted source, are you sure you want to continue?" message. How is that better?

2
0

Do you know what's worse than no security?

False sense of security.

0
2
Gold badge

Re: Do you know what's worse than no security?

It's funny, because code signing and cryptography seems to work in the games console world. They have only managed to get around the protection in consoles after a lot of hard work and in the case of the PS3 they wouldn't have so easily had Sony been a bit more clever. In some cases hardware modifications were needed.

So why should it fail so easily in the computer market?

1
0

Page:

This topic is closed for new posts.