back to article Mozilla security chief: Apple should open up

Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a …

COMMENTS

This topic is closed for new posts.
  1. Webster Phreaky
    Jobs Horns

    c'mon ... the ONLY thing Apple cares about is the INCOME off selling their Chinese Gadgets.

    Apple TOOK 4 YEARS to deal with well noted holes in BSD which OS heXed is totally based on, everyone knows it .... well except the Apple Kool Aid Drinkers in deep denial. And at that, many holes STILL exist!

    There have been 20 times the flaws, holes and Security Alerts reported in just the last two versions of OS heXed (10. 4 and 10.5) as there ever has for Vista or XP. Yet the Apple BS ads (Mac vs PC (Windows)) never reflect this and the truth that OS X is far worse in bugginess and security holes than Windows is.

    Still enjoying your Spinning Beach Ball of Wait ... n Wait ..... n Wait ...........

  2. Anonymous Coward
    Anonymous Coward

    When

    is webster going to final have his final rant?? You know the one were he gets so worked up an pops a blood vessel and has a Aneurysm and goes off to the great big Apple store in the sky .

  3. Daniel Bennett
    Coat

    Be More Like Microsoft?

    Did someone actually suggest that?

    They been taking anything?

  4. Anonymous Coward
    Anonymous Coward

    Wrong

    Well Microsoft is a good example of secure software, Apple should be more like Microsoft?

    Apple have decided that telling people about your holes is probably more help to hackers than to users, and on balance I think they are correct.

  5. Graham Lockley

    Safety through obscurity

    Wasnt that MS's view on things ? Seems that the Kool Aid drinkers have been trying to ape MS of old ' yeah we know about security, we just aint telling you '

  6. Kevin
    Flame

    @Wrong

    Do you honestly think hackers have to be told that theres security holes and what they are?

    Apple likes to cover up their flaws so people will remain in the dark and rant and rave how secure their product is. And with Apple picking up the market share more and more exploits will be written for those 4 year old holes that were never patched but remain open. Only reason Macs were secure is the reason very few were owned period. But now that people are actually buying them, and not seeing their psychologist instead with that money, they are becoming more of a presence attracting more and more attacks but with Apples policy of ignore it and hope it goes away I get the feeling we'll see mac botnets soon sending viagra spam.

    Pile of crap icon for what apples truly are.

  7. sandiskboy

    My box is so insecure I just leave it open

    But the bad guys still ignore me. I want to be a botnet like you Windows guys. Is there something wrong with my Mac?

  8. Gordon Fecyk
    Go

    Actually, Yes.

    "Well Microsoft is a good example of secure software, Apple should be more like Microsoft?"

    Actually, yes. At least since Windows 2000 SP2 or so.

    Some would argue they didn't do anything serious until Code Red hit. I submit that MS did more to fix Code Red and all of its incarnations with one release: URLscan. This is more than any anti-virus firm ever did. And looking past IIS5, even Windows 2000 pre-SP1 on the desktop could do anything Win9x could and still be secure.

    That very, very few people bothered turning on Win2K's built-in safeties isn't Microsoft's fault.

    Apple's had pretty poor turnaround time with regards to security updates compared to Microsoft. Case in point:

    http://www.theregister.co.uk/2008/08/01/apple_dns_patch/

  9. Randalf
    Jobs Horns

    Security, the Think Different Way

    Deny, deny, deny.

  10. anarchic-teapot

    "That very, very few people bothered turning on Win2K's built-in safeties isn't Microsoft's fault."

    Um, actually, it is to a fair extent, since they ignored standard industry practice and left everything open, rather than all safeguards on and let the sysadmin turn off those that aren't required.

    Not that Apple's any better, or worse.

  11. Stuart Gray
    Coat

    Odd that no-one has noticed

    That the person quoted in the article is called Window.

    The one with the OS/2 logo, please. Yes,the one you can't reach into and steal anything from, thanks.

  12. Anonymous Coward
    Anonymous Coward

    Idiots guide to OS Security

    The idiots guide to OS Security.

    1) All OS's are identical under the hood.

    2) Windows is inherently insecure therefore all OS's are inherently insecure.

    3) Code can be run on a Windows box without the users knowledge or permission being required. Therefore all OS's are the same.

    4) Virus writers are so utterly contemptuous of OSX & Linux that they don't bother to write anything for them. Ever. This lack of virii is down to this reason alone and not anything to do with a better security model.

    5). Anything that Microsoft say is true. Particularly if they're lying through their teeth to explain away another easily exploitable toy OS release.

    6) Anyone who tries to point out the differences between Windows and it's (far superior) cousins OSX & Linux is a fanboy and anything they say about user accounts, unwritable root folders and security models is therefore a pack of obviously biased lies. Windows commentators on the other hand never do this.

    7) Windows doesn't have any problems other than the many thousands of hackers who are SO jealous that they exist to write malware in order to try to blacken the name of Windows.

    8) There's no point in bothering to learn OSX or Linux because only elitist wankers use them and at the end of the day - all OS's are the same.

  13. Anonymous Coward
    Jobs Horns

    You're forgetting one thing...

    Apple are perfect and Steve Jobs is our saviour. They don't need to update flaws, because they aren't flaws. How dare El Reg utter "security hole", "Patches", "fixes" in an article relating to Apple?

    Steve Jobs won't be happy, no, not at all!

  14. Anonymous Coward
    Anonymous Coward

    Webster, ever the voice of truth and reason

    It may (or may not) have taken Apple 'four years to deal with noted bugs in BSD' but since there were precisely ZERO exploits of this in the wild I fail to see what I have to be worried about.

    In fact, let's count the number of viruses I've had to deal with in eighteen years of Mac ownership.

    Er, none.

    Trebles all round!

  15. Anonymous Coward
    Unhappy

    Name

    Her name is 'Window' ?

  16. Anonymous Coward
    Flame

    Be more like MS?

    In terms of security? No. Why lower yourself to that level?

    In terms of standards compliance? No. Why start ignoring the standards?

    In terms of quality? No. Why fire your QA team?

    In terms of stability? No. Why make your products from jelly?

    In terms of communication? Hmm....could be.

    As much as MS make crap, non-standards compliant, non-interoperable products (I know, I am forced to use them every day) they do at least communicate in what appears to be an open manner (certainly far more open than Apple) and when Windows Update vomits another slew of updates at me, I know what is going in and why. Again, unlike apple which installs stealthware ("MobileMe") without my informed consent, tries to force Safari on me and still doesn't tell me why I *really* should upgrade to iTunes 8.

    The Apple fanbois are as bad as (worse than?) the Windows and Linux fanbois. Unquestioningly taking whatever Apples send at them up the fundament. OSX is *not* secure. Just because Apple does not tell you about the holes, does not mean those holes do not exist. It may be more secure than Windows; but that's not exactly a measure to instil confidence is it?

    Apples should be more open about their security flaws. Apple should also get a grip. They are simply vendors of cutesy, Intel based PCs with a rip-off of BSD slapped on top.

  17. jubtastic1

    Seems to me that

    Radio silence on what they are aware of and fixing makes for an unattractive ecosystem to code exploits for, as the plug may get pulled on your project at any time. Announcing what you're fixing would be a boon to black hats, giving them a good idea of the usefulness of an exploit simply by it's omission.

    After the fact reporting would be nice though, at least something more than "Bug Fixes", although I suspect this is done for much the same reason, users don't need to know and the security professionals will eventually work it out.

    I agree that security through obscurity is no security at all, but having said that, if you discovered your front door swings open if you bang it near the hinge, would you fix that on the quiet or put up a billboard outside your house, explaining that workmen would soon be fixing your dodgy front door?

  18. Ascylto

    Mo who?

    How can you take someone seriously who ...

    a) Has a name Window Snyder

    b) Has worked for Microsoft and opines about security

    !!!!!

  19. Alexis Vallance
    Thumb Up

    @ Kevin

    Not the old market share argument again.

    Millions of Macs are sold every quarter, but the market share is always going to be fairly niche. At what point are we going to be seeing apocalyptic virus attacks? When market share is 8% or when it's 9%??

    People have been saying it for years but OS X as unaffected by problems in 2008 as it was when OS X arrived in 2001. If your market share argument held any weight, we'd be seeing at least something by now.

    Ranting like Webster doesn't change the fact I'm sitting here, happy as larry, with no anti virus, stumbling around the internet with nothing bad happening to me. And I'll be doing the same tomorrow, and the same in 5 years time.

    It's great!

  20. John

    If apple should open up, so should mozilla

    Funny that one reg story is about mozilla telling apple to open up and another reg story is full of Linux people bashing mozilla for not opening up to the full glory of the GNU/GPL. Go ice-weesel I say!

  21. Anonymous Coward
    IT Angle

    @Gordon

    "I submit that MS did more to fix Code Red and all of its incarnations with one release: URLscan. This is more than any anti-virus firm ever did."

    Gordon, Code Red exploited a bug in IIS. Microsoft *should* have done more to fix it than anyone else because it was a bug in their software. Code Red didn't affect apache servers, whether running on Apple boxes or otherwise, because, duh, they don't run IIS, so they weren't vulnerable.

    Win2k is not "secure", for an intro try the 500 page "Hacking Windows 2000 Exposed";

    http://www.amazon.com/Windows-2000-Hacking-Exposed-Scambray/dp/0072192623

    What are you wittering on about?

  22. TeeCee Gold badge
    Jobs Horns

    Re: Wrong

    If Apple were finding all the holes themselves and fixing same before anyone else noticed them, you'd be right.

    However, since by and large they are responding to threats identified elsewhere, the cat's already out of the bag as far as the hackers are concerned, so you're wrong. All the current approach serves to accomplish is to leave the end user with his pants down and painfully unaware of the fact.

  23. Anonymous Coward
    Anonymous Coward

    @jubtastic1

    "I agree that security through obscurity is no security at all, but having said that, if you discovered your front door swings open if you bang it near the hinge, would you fix that on the quiet or put up a billboard outside your house, explaining that workmen would soon be fixing your dodgy front door?"

    No, but if you discovered it and you knew everyone elses in your neighbourhood had identical doors, then you should tell all your neighbours so they could take appropriate steps till the fixers arrived.

  24. David Kelly
    Stop

    sigh

    Yawn, more ignorance from the likes of Webster Phreaky. Why people believe this market share myth is beyond me. After Apple's "mac is more secure than pc" ads you would expect a bunch of angy hackers to create Mac viruses just to prove them wrong. So where are these viruses then?

    As for vulnerabilities, only a clueless moron would take a *count* of vulnerabilities as an indication of how secure and OS is. Five cracks in a Volvo wing mirror do not make it more dangerous to drive than a Fiat Punto with one dodgy break line.

    Personally I think Apple should be quicker to fix security holes, and more forthcoming with information, but I still feel much safer using OS X than I ever did on a Windows machine despite running no anti-virus or firewall.

  25. Kevin
    Jobs Horns

    @Alexis Vallance

    OK lets remember the new generation of virus writers are not like the ones that started the game.

    They no longer write viruses just to see what they can do as once was the case, the majority now write them to make a profit plain and simple. Going on that which is smarter to go after 10-12% of the market share or 80%+ of it.

    Yes windows is insecure if you don't know how to lock it down, but your front door is no different if you don't know how to lock it. I personally prefer to knowing if my door won't lock or that there is a flaw in the lock so I can prepare for what might happen than being told the door's lock is working perfectly and no one will get in when the tumblers busted and can't lock.

    And its so nice you have had no viruses in 5 years.. Ohh wait you don't know if you have anything cause last I checked OSX was able to be infected via worms, and seeing you have no anti-virus you can't check. Now on the other hand I have 2 windows 2000 pro boxes and have not had a infection in over 6 years and have a virus scanners that I update regularly to check if I do.

    Now begone and go drink Steve's magical koolaid.

  26. David Kelly
    Thumb Down

    @Kevin

    Sorry Kevin, you come across as clueless as Webster.

    1. What is the sum total of all UNIX based viruses? You want to tell me that all OS X, Linux, BSD, Solaris etc. machines combined are too small a number to be a target?

    2. What do you think most banks and ISPs run their servers on? Oh, let's remember that banks only make up a tiny market share of all businesses so by your logicthey are an unattractive target :-D

    3. Show me an OS X worm out in the wild.

    4. Regarding your ignorance about Mac anti-virus programs maybe you should try a simple Google search.

    5. Your theory of profit is applicable, but not in the context you are thinking. Anti-virus writers love to drum up FUD about Mac viruses so they can try sell more copies of their pointless software.

    6. Yes you can lock down Windows to make it more secure but why should you have to? Why buy a car where you have to replace the locks which are harder to break into when you could have gotten a better engineered car with decent security in the first place?

    7. OS X server 1.0 was released in 1999 so that would make it 9 years of no OS X viruses, not 5.

    8. I hope you enjoy wasting time and cpu cycles on your virus scans. Bet you love a good old disk defrag too.

    Now begone and try educate yourself before your next display of ignorance!

  27. Kevin

    @David Kelly

    #1 Is it not Linux that last week a company made a rootkit for? Just because something is non existent now or really rare does not equal the future. 5 minutes after this comment is posted someone might make the most infectious virus ever for the mac that goes live or they might not.

    #2 OK do those machines you just named have idiotic users physically at the machine using it OR Administrators who know what there doing and not using it for menial task? I've not seen many windows servers that have been properly configured have viruses on them.

    #3 Found one virus not a worm, I'll admit, called Leap-A while looking it up on Google which you have to download and run it but lets face it you can easily con users into doing that. Which if I remember was how a good amount of the popular Windows viruses spread. So how long until worms start like I sadi before just because it does not exist yet does not mean it won't in the future.

    #4 I never claimed to care about anti-virus programs on a mac. I just said unlike a mac user I got something to tell me I have nothing on my computer not pray to the almighty Apple gods and hope.

    #5 you have a point that also happens on windows a lot but lets face it if you were going to make a program to get the most wide distribution in as short of time you would pick windows so my original context holds up also.

    #6 A car is not the best analogy to use because no matter what you do its still is possible to steal it. The biggest threat to any security is a uninformed user which is the way the original person I directed the reply to sounded and why I used a house.

    #7 OK the 5 year comment was at Alexis Vallance who said in the 5 years they owned it not total years the OS was out. So please learn to read the whole context and the persons post it was directed at and do not show ignorance while calling someone else ignorant it really makes you look kind of foolish.

    #8 Well as I have probably wasted a whole 3 days in CPU cycles on virus scans combined in 5 years on 2 boxes while the computers would not be in use anyways it doesn't really bother me. Now why bother bringing disk defrag into a argument about security? You call Webster and I clueles but last I checked Windows users know about defrag and its use where as Mac users don't know security holes exist at all.

    I hate to say something you mactards got completely wrong. You think any time someone posts negatively about Apple's practices you think its an attack on the company (or religion the way most of act) that you so love. I'm not trashing the mac platform actually its the opposite I hope it doesn't become as popular as Windows to write the malware for, and I don't think telling their users how to make sure they don't get exploited or even that a security hole exists is hard but it seems most of you from your comments prefer to think its flawless and unbreakable but whatever its all up to you seeing your their consumer.

    So please enjoy Steve's special kool-aid by all means.

    And to do one correction my original comment I ended the wrong way seeing I was tired from work, the pile of crap was not directed at Apple computers but their practice of security through obscurity.

  28. David Kelly
    Stop

    @Kevin

    #1 Anything is *possible* but that doesn't make it *likely*. The day there are OS X viruses out in the wild your argument will have weight, until then it's just speculation.

    #2 Tell me, why has OpenBSD only had two remote security holes in the default install in 10 years? Who's safer, an idiot user on an OpenBSD box or an idiot user on WinXP?

    #3 You're talking about a trojan, not a virus. I think you have selective memory if you don't remember all those Windows viruses that spread by email that didn't even require a user to open the mail.

    #4 Mac users don't need hope. I should think that 10 years of no viruses is reason enough to know that an anti-virus program isn't required.

    #6 My car analogy could just as easily be applied to a house. Is it safer to buy a house with strong locks and buglar bars or a house where the windows are wide open? (pun intended!)

    #7 Alexis was talking 5 years in the future, so the original context of your reply was wrong.

    #8 Why should a casual user have to know about security? The whole point of owning a Mac is that it works for you, not the other way around. A user shouldn't have to update virus definitions, apply patches, defrag drives, clean the registry etc. In fact, even administrators shouldn't have to do those sorts of laborious tasks.

    "You think any time someone posts negatively about Apple's practices you think its an attack on the company"

    That's not what my argument was about at all. You should have recognized that when I mentioned UNIX, Linux, BSD et al. This is about idiots who think that Macs are only secure because they represent a smaller market share. If you truly believe that then you really have no understanding about OS security.

    FYI I should point out that I have been a UNIX admin for several large ISPs and high street banks and currently work for a security consultancy firm. I use various UNIX flavours as well as OS X and Windows on a daily basis. So, you may want to point your "kool aid / mactard" comments at someone who doesn't recognize them as a childish means of lashing out at something you clearly don't understand.

This topic is closed for new posts.

Other stories you might like