Apple security is 'struggling,' researcher says A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products. "Based on a variety of sources, we know that Apple does not have a formal …
So Microsoft builds security into its products "from the ground up"? BWAAHAHAHA! Thanks for the laugh. I guess there's a difference between "having security in mind" and actually "having security". Be nice if they ever got it off their minds and into production.
Yes, Apple could do a lot better on the security front, mainly by vetting and demanding greater security from 3rd party vendors and by having a better security framework for their windowing system. But at the core MacOSX is still based on OpenBSD, currently the most secure of the 'nix systems. so at least they got that right, assuming they're still in contact with that group. Given the increasing power of the short-sighted fuckwits in the marketing dept vs the generally competent technical side of the company, I'm having my doubts.
Problem is that there's a lot more malware targeted at easily fooled idiots these days, and those are never in short supply, no matter which operating system one looks at.
Apple will release a very beautifull little white plastic box costing no more than your left arm. The Box will be called iSecure and gets plugged in inbetween computer and router. The Isecure will look really nice and you can show it to all your friends who will also thing it looks nice. The box will in addition to looking really nice and sexy, give you a misplaced feeling that your computer is protected by magic Mac dust scraped from the ass cracp of God son Steve.
Back when they were running all PPC systems and used Intel builds to discover bugs, there were far more on top of the situation than now PPC is just an afterthought . Apple would improve its security if they brought out a Power 6 or Power & based system but I don't think Steve's ego would let them.
"He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java."
Dan,
Apple may have to Virtually Rethink their Security Strategy for Java is AIRemote ProgramMING Mac Portal with and for Executive Change Privileged Access to Core Protocols and Multifarious Drivers.
It is only a gaping security hole though, if it is abused. And such is only possible if it is allowed. It is however, not allowed and thus will always remain AIMIsssion Impossible and a Waste of Time in CyberSpace.
Just ask Anyone who would know even a Little about Secured Flight Configuration for CyberSpace Operations, if you do not Believe IT written down here.
Nope... FreeBSD 5.2.something, I do believe. Not the finest version of FreeBSD ever released, as it marked a major change from the way things were done in 4.x.
But even were it the most secure operating system in the world, lousy application software is still going to allow user-level exploits, and OSX is certainly not the most secure. Apple have a positive attitude to security only where it regards people trying to use their products in ways Apple does not want them to: jailbreak for example. Everywhere else they seem to be slow and uncommunicative at best; lazy and incompetent at worst. Even if they threw everything away and made a whole new hardware and OS platform running OpenBSD on Sparc or SELinux on Power6 or whatever, they'd only be buying themselves a limited period of security before their terrible attitude catches up with them and suddenly they're a popular, non-obscure platform full of gaping holes, again.
Unless there's a bit of a sea-change in their corporate culture, we're going to end up in the bizarre situation where Microsoft is releasing more polished, more stable and significantly more secure products than a competitor.
It's almost as boring as the Gordon "hopelessly out of his depth" Brown fiasco. Why is it that EVERY comments section about Apple or one of it's products begin with some clever-dick smart-arsed comment that seem to have been copied and pasted from a previous post! It's even more annoying when these same people whinge with their Reg/commenter is anti-Microsoft and hasn't "got a clue" chip-on-the-shoulder attitude! YAWN. Don't like Apples kit? Don't read the articles. As if Windows is secure!!! People in glass houses and all that...
This "well-know security consultant" has obviously timed this release to co-inside with the WWDC, and has conveniently neglected to mention the appointment of Ivan Krstic - the chap responsible for the excellent BitFrost system for the OLPC - and the obvious steps that Apple are taking to improve security. I'd like to know which Redmond based company is paying for this "well-know security consultant" to conduct his research?
"Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind..."
Among the first? Christ, I hope that no-one else copied their idea, it seems to have failed quite appallingly.
Can anyone give us a list of the products that have been built with "security in mind"?
It wouldn't be too hard to supply a list of the products that are as secure as a wet paper bag.
Microsoft don't really have a good reputation when it comes to security, do they?
Thank you, Gordon. This is one of my pet hates. The kernel is a Mach hybrid (XNU) and the userland binaries are *derived* from FreeBSD and these parts are collectively called Darwin. MacOS X proper is everything else, including the kernel and CLI, and is proprietary. MacOS X, as a whole, could best be described as the "Mambo Number 5" OS: A little bit of BSD, a little bit of Mach, a little bit of Nextstep, a little bit of X(org from 10.5)... That's not to say it's not well engineered, just that it cannot be considered to be "SomethingBSD." It's MacOS X in its own right, with its own issues and quirks and it's up to Apple to maintain it, not Theo de Raadt or Colin Percival.
With regard to BSD flavours, Free can be as secure as Open, Open can be ported to as many platforms as Net, and Net can be as popular as Free. It's the defaults chosen by the project that count; OpenBSD starts out of the box with no services running at all. Do the same with FreeBSD or DragonflyBSD and they're just as secure. The Apache that runs on FreeBSD is the same Apache that runs on OpenBSD. Once you load that onto either system and poke a hole through pf for it, both are vulnerable to whatever Apache is vulnerable to, your "lowest common denominator" if you like. Similarly, load Firefox onto MacOS X and you're now vulnerable to everything Firefox is. Or Safari. Or iTunes. I could go on, but that would be belaboring the point.
Bottom line for absolute, guaranteed security is pick two: Software, net connection, power. Anything else is a compromise and a gamble that your chosen vendor of *any* software you use (or you) can keep one step ahead of the black-hats, which is basically the concern of the article we're all commenting on.
"Can anyone give us a list of the products that have been built with "security in mind"?"
Yes. Most everything Windows from 2000 upwards has been built with an eye toward security. The fact of the matter is that Windows, by dint of its shallow learning curve and lack of anything remotely considerable as complex to the outside, coupled with every damned service including IIS running by default or by mistake, bound to every single bloody interface, attracts the lowest common denominator *user* who is, in security circles, the most gaping, easy to exploit vulnerability of all. That includes those who go by the acronym "Must Consult Someone Experienced" as a server with a GUI that any old munchkin can go and click to get what looks like the intended result just encourages stupid mistakes. "Yesterday I couldn't spell sysadmin, now I are one."
WARNING: Foobar.exe is trying to modify the filesystem. [Allow] [Block]
What's your average luser gonna click? Not you, him. It's only your job to clean up after the thick bugger, bearing in mind that he's also a Power User (sic) meaning he has root on his own box, a legacy from the last MCSE that touched that domain controller and got fed up with the moron forever asking him to install a screen saver instead of growing a pair and cattleprodding the bastard for even asking, regardless of whether he's the Senior VP of Staff Toilets or not. Don't forget any network shares he has access to, will you? Should have used that group policy editor sooner and cleared the Power Users group of fuckwits, shouldn't you?
Jocular rant aside, the bottom line with Windows is that the lunatics have taken over the asylum. Nothing to do with the code, everything to do with the intended audience.
It's funny how any mention of Windows and security gets the mactards/freeetards jumping up and down on their soap-boxed about how the only Pc they have touched (in 1995) was swamped in viruses within 2 seconds of touching the internet.
Well my house contains one 10 tear old boy who has absolutedly no regard or concept of computer security and a very inquisitive mind (some results duly bookmarked, others blocked) yet the PCs he uses have never once been infected. All it took was a tiny bit of effort to make his login a limited user, tweak the router to pass all DNS queries through OpenDNS and add a couple of firefox addins and a copy of AVG (just in case). Not exactly rocket science.
If MS fell down with XP, it was that the default user mode is administrator. Unfortunately, familiarity with the GUI encourages ignorance and laziness, and human nature is that people will do the absolute minimum to get the result they want just like people who only ever get their cars serviced when an MOT failure gives them no option.
"Microsoft ... products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack."
So how come their OS is such a pile of steaming shit? Or did Microsoft 'build-in' the worms, viruses, porn popups, spambots and spyware?
Sorry, old son. Mustn't pretend to be superior without criticising Windows. I'll make a note of that on this here Post-It with my password on it (as if) and I've used the Evil Bill icon just for you. Doesn't that make you feel just dandy?
Any fairly modern (>NT5) Windows box is able to arrive at a state approaching the impregnability of any other OS given the right TLC. Disabling unused services making the possible malware ingress vector surface smaller, accepting sensible defaults and overriding those that aren't, removing admin privileges from ordinary users, paying attention to updates and security mailing lists (yes, ElReg can be useful, too), limiting the software installed or installable by users to a subset of well-tested and trusted applications, use of group policies and access controls, auditing third-party software packages for published flaws, ingress and egress filtering on the gateway and so on.
There are no design flaws in Windows that cannot be mitigated with best practice, just as there are no safeguards in *any* operating system that can mitigate poor administration, lack of maintenance and user fallibility. What has killed Windows' reputation with regard to security is a combination of a massive install base to target, the *vast* majority of Windows instances being run as Administrator by users sans clue at home (UAC is no substitute for the user having to beg someone with nous to install the latest BonziBuddy clone or crappy browser toolbar) with various crapware (Dell, I'm looking in your direction), spyware and P2P applications installed and, finally but most prevalent where Windows is troublesome in a corporate setting, incompetent "systems administrators" and clueless users. Those saying otherwise have never studied and used the Windows OS in the depth required to arrive at this relatively secure state which is the crux of the issue, unless you want to include those who think that for [insert OS here] to win, Windows has to lose (was it Jobs who said that about Apple fanboys criticising Windows for perceived but false issues? I forget).
Please, do remind me which was the first OS to fall in the last "Pwn2Own" contest, too. You would think that, with all the "fundamentally flawed" design decisions in Windows, it would be Windows and they wouldn't require user intervention, a browser or Adobe swiss cheese-ware to accomplish it. Perhaps they just didn't want a Sony Vaio and five grand? As it was, Safari failed epically, maybe because the MacBook was a more desirable prize. Yet again, a user-space application combined with user activity compromising the operating system, which was exactly the same way the Vista box was compromised in the next slot. Same shit, different OS.
Are we done with this debate now or, as the French would say, shall I taunt you a second time?
This is an article about Apple, yet somehow it degenerates, yet again, into an article about how shit Microsoft are, with the usual tired old acusations, regardless of if they are correct or current or not. Grow the fuck up people.
I'm not just sick of this with a certain class of Apple users, also a certain class of MS and Linux users, you may call them Zealots, either way they generally comment from a position of ignorance. This place is like Slashdot eight or nine years ago.
"do remind me which was the first OS to fall in the last "Pwn2Own" contest"
If you are basing your analysis of OS security on one contest and ignoring a YEARS of MS incompetence in this area then your powers of observation are suspect at best. Wake me when Macs even have a 1000th of the malware issues that MS has and then you might have a point.
Are we done with this debate now or, as the French would say, shall I taunt YOU a second time?
I was going to go into ODFO mode, but I'll bite.
No, I'm basing my analysis of OS security on experience and ability. The Pwn2Own contest was mentioned to prove that it is usually applications, whether bundled or not, that compromise the host OS, assisted by users, which has been my contention since this little debate started. I also mentioned that MacOS got it up the Khyber first because it was the tastiest prize in the contest. Of course, you also missed the implication that ANY OS is only as secure as its apps and users, which I have been trying to point out all along, hence my mention of the Vista box getting rooted via Adobe software. Too subtle for you, perhaps?
Yes, Windows was dire with regard to security before the NT based Windows versions with a real hardware abstraction layer, a decent set of APIs with security features exposed by the kernel and NTFS became mainstream. This is not the case now, as they have similar security features as Unix based OSen (access control on the file system, per user controls, group policies, distributed authentication and so forth) so I'm afraid a lot of these arguments against MS Windows fall flat on their faces when you actually know how to use these features properly. Again, in case you missed it, I'm not talking about "out of the box experience" here. The home users can take their chances if they're stupid enough to trust any OS straight from the box. Might I also remind you that MacOS X's ipfw firewall is not enabled by default? I'll say it again: The prevalent issue with Windows security out of the box is users running as user Administrator. This, along with every other security issue, can be mitigated using the frameworks provided.
I might also point out at this juncture that I do not use Windows as my primary OS. I know some very knowledgeable people that use it, whether as client machines or as primary OS and, unlike some, I respect their choice of tool for the job. I have no ties to MS and I have less than zero interest in promoting their products. I do support Windows shops and I will service and secure Windows machines with equal facility to those loaded with my preferred OS. I simply think it is time to drop prejudice and zealotry and wake up to the fact these long-standing myths are nothing but an attempt to look smugly superior and disregard the fact that people are stupid. Now, if you'd like to engage in a privacy debate, talking about vendor lock-in or adherence to standards, you may find I appear on the other side of the fence. It's called being objective and sticking to the damned point.
Still, if you think you can claim the high ground by missing the point, go right ahead. And do try to be a little more imaginative with your next reply. Having my own little quip turned around and regurgitated, well, let's just call it pitiful. Do try harder, eh?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
