Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
It has EVERYTHING to do with market share. Why would I develop ANYTHING if it only targets a very SMALL population? Be it, viruses or cars.
That would be the biggest push to abandon Windows en masse! Oh, and it would became automatically safer then! Gonna tell Ballmer you have found the solution :p

I wonder why people develop any type of sw for any other platform than Windows, if I follow your logic ...
 
Great post chris, thanks a lot for that! :)

This is not a new idea. http://en.wikipedia.org/wiki/Selinux

It sounds easy until you get into the exact details. Like for example the browser does need to be able to read/writes it cache files. But it needs to be able to create and delete those files and this implies writing to the parent directory structure which means it can create and delete other files in the same folder even if it can't read those files directory access means it can delete them and create replacements.

A way to make this work is to label all the data and then implement both "mandatory access control" and "discretionary access controls" this almost exactly mimics the why classified documents are handled by real people. it say (1) every file has a "level" and if a program does not have a certificate to handle that level it can't look. So unless you have the "ultra-secret" clearance you can't see any ultra-secrets. But (2) the other system used at the same time also applies. Discretionary access means "need to know". So even if I can see ultra-secret stuff no one will give me those documents unles I'm working on a project that requires I have that document.

On a Mac you might have four levels "scratch files", "user documents" and "applactions" and "OS". Most of your software would have clearance to see only the first two levels. After that test Discretionary Access checks that you are looking at your own data, not data from another user and that if you are a test editor you are looking at a text file, not a jpg image.

I've used computers where all of this is implemented. There are standards that talk about how it works, you don't have to invent new science here
 
The fact is, a Windows 7/IE 8 combo took something like 3 days to break into, while it took just hours to break into OS X/Safari.

This would make Windows more secure because it takes longer to break into, but OS X safer because you're less likely to run into any malware in the wild for it.

Unfortunately no. Charlie Miller, the winner of that contest says:

Alan: Well, let’s get to the part our readers will want to hear the most about. When people hear about Pwn2Own and systems failing within seconds, many imagine a Hollywood-esque free-for-all, with rows upon rows of teams trying to hack a single system (like the scene from Transformers). In truth, Pwn2Own is a lot more civilized and structured, isn't it? How does this compare to other security challenges?

Charlie: Yes, I took down the Mac in under a minute each time. However, this doesn't show the fact that I spent many days doing research and writing the exploit before the day of the competition. It only looks Hollywood because you don't see the hard work in the preparation. If you set me down in front of an application I've never seen before and told me I have 2 minutes to hack it, as is often the case in movies, I'd have no more luck than your grandma at accomplishing it. Well, maybe a little more of a chance, but not much!
http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254-2.html

In another interview / article. They've mentioned the time to take advantage of an exploit or system depends on their luck, as software update released at anytime can nullify their efforts.

At the time of that contest, Safari has been out for much longer than the other browsers, while W7 and IE8 are out only for an extremely short amount of time. That's why it took longer to hack them. Not because they are more secure, but because they had almost minimal time to work on it.

If windows is more secure, why do hackers use macs?

Alan: You’ve won two Mac notebooks from Pwn2Own so far. Are you using either of those? What's the configuration of your primary system?

Charlie: I usually work on a pretty old MacBook that I've upgraded the hard drive on.
http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254-6.html
 
Imagine wearing a t-shirt at your local church meeting, or wearing a bullet-proof vest in Iraq. With the bullet-proof vest you are more secure; but you are still more likely to die, so the guy in the t-shirt is actually safer.
Like the church of scientology?
 
Well, the point the poster made above is still valid. Which is safer, driving in a Main Battle Tank in the middle of a battleground, or driving on a quiet country road in a lightweight Citroen 2CV? The Citroen would be safer, because there are fewer and lesser threats. For most average users, that turns out to be the most important thing.

(For commercial/enterprise users, it's a different story. They're going to be "shot at", so they need to have the "armour" and need to know precisely how good it is! :) )

I think the lack of attacks on OSX is only partly due to its inherent security (and has little to do with market-share). It might be because most people with the technical ability to write Mac exploits are Mac/Unix fans who'd rather report the vulnerability and have it fixed, rather than exploit it for mischief or profit. A lot of PC developers see their PC just as a tool, and would have no compunctions about writing malware for the platform.


That article is so wrong. Please I agree with your posts but do not put up uncle Larry talking about his own beliefs passed on as facts. Horrible article.
 
Uh... actually. yes. Windows Vista (and XP SP 2 I believe) implemented security features (I believe it was address randomization) as a direct result of virus attacks and trojans. OS X has never had viruses or trojans, and as thus does not have as robust defenses against it.

The fact is, a Windows 7/IE 8 combo took something like 3 days to break into, while it took just hours to break into OS X/Safari.

This would make Windows more secure because it takes longer to break into, but OS X safer because you're less likely to run into any malware in the wild for it.
Wrong on so many counts.
http://www.apple.com/macosx/technology/security.html
http://www.apple.com/macosx/features/300.html
"Library Randomization

Defend against attackers with no effort at all. One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses."

I won't say much on the browser issue other than that IE 8 had just come out during the hacking contest and that OS X could not be exploited remotely while windows boxes are routinely configured in such a way as to allow for remote exploitation.
 
Riddle me this. Why was it that the Classic Mac (System 9 and older) had so many viruses and trojans and worms? Back then, "sneakernets" was more prevalent than the Internet and Macs enjoyed a laughable 3-4% market share. Years after the release of OS X, Apple finally break into double digit market shares yet no attacks?:confused: So a 4% market share is significant enough to attract viruses, worms and trojans authors, but >10% isn't?:rolleyes: That argument doesn't hold water.

Are you sure? I think it does. I was otherwise "occupied" during the days of the previous Mac operating systems, but I am quite comfortable with the premise that the easier targets get more whacker attention. PCs running Windows were easy targets back in the OS 9 days and are still relatively easy targets today. The same cannot be said for the Mac today. That Mac OS X is less "riddled" with malware implies OS 9 was inherently less secure - so is it any wonder Apple's market share was lower then? If an OS is vulnerable, it's vulnerable, no matter if transmission is via sneaker, or ether-net. ;)

Maybe you never understood it because you never learned about it.

Thanks for the links. I have a better understanding now. With all due respect to this effort, it still occurs to me that in order to feed the mind, we must first feed the body. Keep it healthy, sheltered, clothed, and safe from strife and persecution, and maybe a niche project like OLPC can succeed.

However, I would rather the money and effort spent on these laptops was spent saving lives instead of exploiting those select few.
 
Let's start this thread off with the correct terms so everyone knows:

Windows is more secure.
OS X is safer.

Users care more about safety, so Apple's on the right side of that equation. But let's keep our comments accurate, otherwise it gets very confusing.

More here:
http://daringfireball.net/linked/2009/05/13/security-safety

That's just semantics. Ultimately, the lack of viruses on a Mac speaks volumes above any "security" differences between the two OS. One could argue that if Microsoft had not spent so much time and resources developing a more "secure" OS, they might actually get one that works the first time around.
 
good addition, as i think apple needs to really push out more security for their products, and he seems to be someone determined to do just that.
 
Let's start this thread off with the correct terms so everyone knows:

Windows is more secure.
OS X is safer.

Users care more about safety, so Apple's on the right side of that equation. But let's keep our comments accurate, otherwise it gets very confusing.

You are pointing out a comparison between Windows and Mac. Cancel or Allow? :D Couldn't resist...
 
...but I am quite comfortable with the premise that the easier targets get more whacker attention. That Mac OS X is less "riddled" with malware implies OS 9 was inherently less secure - so is it any wonder Apple's market share was lower then? If an OS is vulnerable, it's vulnerable, no matter if transmission is via sneaker, or ether-net. ;)

It's a nice idea that you suppose, but it just doesn't match up to the historical facts. The pre-OSX operating system was subjected to contest with a significant amount of prize money if someone could break into a mac via the internet. A machine was set up for hackers to bang on day and night, and the attempts went on for quite a while before some one managed to do some kind of buffer overflow and win the prize.

Much of the security of the earlier Mac OS was higher than the PC OS of the day all along. However, keep in mind the hackers were not as sophisticated as they are today, and the installed base of both Macs and PC were much smaller. It may be correct to suppose that the number of installed PCs 10 years ago were about what the number of installed Macs are today. So, not only has Mac garnered a larger share of the market, it is also become a much larger market as well.

All along, the industry opinion has been that it was the larger base of the PC that made it a target, not that the Mac install base was small because it was easy to break. It's been a long time since I have seen the numbers, but if my memory serves me, there was a two-order of magnitude difference between the number of Mac OS viruses and PC viruses.
 
Build idiot-proof.

243681-450-600.jpg
 
I would think Ivan ought to focus on iPhone OSX security because there is more need due to the growing popularity of the iPhone 3G and its subsequent releases and broader market share over time. Besides, iPhone holds sensitive info by default. Address book, messages and notes. The units are mostly connected during the day of used, and any security breaches likely to be a big deal to the general user base.

It would be great to see advanced BitFrost like features. As a baseline, I would insist on a separate encrypted partition to hold sensitive data. It would need second-level authentication. A form of synchronization between a Mac (with similar encrypted partition) would allow for recovery of the "hidden" data in any emergency. One would expect OS level security levels to be on iPhone OSX to interact completely in the encrypted zone and nowhere else. Just a simple suggestion....
 
I never quite understood the OLPC concept. In Kenya or Haiti, just how many electrical outlets and Wi-FI are at the disposal of indigent children? Ok, how about the not-so-indigent? It seems to me the poor in developing nations need food, medicine, and a stable government in a country with some semblance of an infrastructure more than these quaint laptops.

these laptops do not take away from other humanitarian efforts, it adds to them. Sure, we could just keep on pumping food to Africa. That way they will never managed to improve their situation. The idea of these laptops is that it enables the educators and children to "reach the next level" (so to speak).

If we want to help these people in the long run, as opposed to simply helping them survive one additional day, we need to help them educate their children. That is what OLPC aims to do.
 
...The pre-OSX operating system was subjected to contest with a significant amount of prize money if someone could break into a mac via the internet. A machine was set up for hackers to bang on day and night, and the attempts went on for quite a while before some one managed to do some kind of buffer overflow and win the prize...

Ah, so this must explain Mousse's assertion that the "Classic Mac (System 9 and older) had so many viruses and trojans and worms". :rolleyes:

... However, keep in mind the hackers were not as sophisticated as they are today ... All along, the industry opinion has been that it was the larger base of the PC that made it a target, not that the Mac install base was small because it was easy to break. It's been a long time since I have seen the numbers, but if my memory serves me, there was a two-order of magnitude difference between the number of Mac OS viruses and PC viruses.

I don't dispute any of this assessment. The industry opinion is also mine. My suggesting that the malware susceptibility in System 9 (and earlier) influenced market share at the time was meant to be intentionally myopic. My primary premise is the industry's. If there are hundreds of millions of susceptible Windows machines available for the hacking, why would I waste my time hacking a smaller, relatively more secure selection of Macintosh computers?

these laptops do not take away from other humanitarian efforts, it adds to them. Sure, we could just keep on pumping food to Africa. That way they will never managed to improve their situation. The idea of these laptops is that it enables the educators and children to "reach the next level" (so to speak).

If we want to help these people in the long run, as opposed to simply helping them survive one additional day, we need to help them educate their children. That is what OLPC aims to do.

It's a laudable goal. However, my experience in the third world suggests there are far greater priorities not being addressed that take precedent over the luxury of education the OLPC can provide. It's not just Africa ... it's 90 miles from Florida - in Haiti, It's in South America. Follow the corrupt governments and line of despots and right in the background, you'll find the poor. And I'm not talking the American welfare, cell-phone toting, 50 pounds overweight poor either. Freeing the poor from hunger and strife is more than just shipping food to these places (as you know).

I think the OLPC concept is a dubious one in "developing nations", considering the sad dichotomy between a poor, malnourished child and the rich dictator living in relative splendor in the same country. I'd rather my money was spent helping malnourished children survive today, and infrastructure built and secured so that teaching their families to feed and provide for themselves is possible tomorrow.

:apple:
 
It's a laudable goal. However, my experience in the third world suggests there are far greater priorities not being addressed that take precedent over the luxury of education the OLPC can provide.

But OLPC does not take away from those other efforts. It's not like the OLPC-guys would be more useful handing out food than they are designing laptops.

Freeing the poor from hunger and strife is more than just shipping food to these places (as you know).

Sure. But OLPC-guys has no means to help in that area. The area where they can help is through education and technology. So their efforts do not diminish the efforts done by other people in some other area.

It's like when people complain when new version of software is released. It contains new artwork, and people complain "why not focus on fixing bugs as opposed to working on the artwork?". They fail to understand that the coders and the artists are different people and the artists efforts to improve artwork does not take away any resources from the coders who try to fix bugs. Those artists couldn't fix bugs even if they wanted to.

I think the OLPC concept is a dubious one in "developing nations", considering the sad dichotomy between a poor, malnourished child and the rich dictator living in relative splendor in the same country.

there are other poor countries out there, besides the ones that are run by a dictator....

I'd rather my money was spent helping malnourished children survive today

As the saying goes: give man a fish, and he eats for a day. teach the man to fish, and he eats for the rest of his life.

and infrastructure built and secured so that teaching their families to feed and provide for themselves is possible tomorrow.

And what makes you think that these laptops are not part of that infrastructure? It's like when remote villages got their first cell-phone. People wondered what's the point in giving them phones, when they barely have any food to eat. But it was soon discovered that the farmers used that phone to survey nearby towns to determine which had the greatest demand for their products. It was used for remote healthcare and education. And it was of course used for communication between people.

the phone singlehandedly helped the community a lot, even though on the surface it was just a phone.
 
But OLPC does not take away from those other efforts. It's not like the OLPC-guys would be more useful handing out food than they are designing laptops.

Actually, they probably would be. What you probably meant to say is that OLPC shouldn't take away from those other efforts. I think in fact that they do. Plus, I think there are far more plentiful and effective ways to educate children and PARENTS (who arguably need it more) than with niche laptops that aren't universally available.

Sure. But OLPC-guys has no means to help in that area. The area where they can help is through education and technology. So their efforts do not diminish the efforts done by other people in some other area.

Which is why it is more important IMO - that the "other people" are successful. Without REAL infrastructure, health, sanitation, and a stable government, the OLPC concept can not succeed - no matter how well-intentioned or technologically savvy the creators are.

It's like when people complain when new version of software is released. It contains new artwork, and people complain "why not focus on fixing bugs as opposed to working on the artwork?". They fail to understand that the coders and the artists are different people and the artists efforts to improve artwork does not take away any resources from the coders who try to fix bugs. Those artists couldn't fix bugs even if they wanted to.

This is a fair argument. So, wouldn't it follow that a company with limited resources on a limited budget would set and make priorities and staffing decisions that work to the benefit of the company and the software as a whole? In your example, I'd say in order to keep the software a viable product to market, bugs and glitches should always take priority over aesthetics. This means less artists and coders focused on these aesthetics and more engineers brainstorming and fixing the errors and fine-tuning the product.

It may be a beautiful laptop - technologically marvelous, laden with the secrets of education and life itself, but if the child is feverish with malaria, suffering from Kwashiorkor, he isn't going to benefit from OLPC until his other problems have been solved.

And what makes you think that these laptops are not part of that infrastructure? It's like when remote villages got their first cell-phone. People wondered what's the point in giving them phones, when they barely have any food to eat. But it was soon discovered that the farmers used that phone to survey nearby towns to determine which had the greatest demand for their products. It was used for remote healthcare and education. And it was of course used for communication between people.

I don't believe computers are the infrastructure developing countries need. At least not as a priority. I've seen the effects misplaced priorities in a community can do to the poor. There are cell phones in Jeremie, Haiti, yet sewage still runs through the street. There are cell phones in Jeremie, but large families still live together in small, rickety hovels of cardboard, tin, rags, and straw – unfit for human habitation. There are cell phones in the country, yet few Haitians have access to electricity or clean water. Love those phones, but kids are lucky if they get even one meal a day. A lack of vitamin A means blindness for many children. Blindness makes a laptop slightly more difficult to use.

... the phone single handedly helped the community a lot, even though on the surface it was just a phone.

In many cultures, I believe "on the surface", technology could mesmerize people to the point of self destruction. I think the cell phone is proof of this in Haiti. I'll concede that in other less indigent cultures, technology could surely assist a population to rise up from poverty. In Haiti - I'm not yet convinced.

Unemployment there stands at roughly 70%; average annual incomes are roughly less than $300 per year. Subsequently, entire villages suffer from malnutrition. Children lack sufficient calories to survive – nearly 40% are malnourished and more than 15% do not live to see their fifth birthdays. Of those who do survive, 51% are mentally and physically stunted and many go blind from lack of vitamin A. Diarrhea and pneumonia, coupled with malnutrition, remain the leading causes of death, because these children have no nutritional reserves to sustain them. You'll forgive me that these sobering facts leave me somewhat jaded at the utility of a cell phone and computer.

No - I'd rather take my chance on the latrine and clean water; on clean, dry shelter; on nourishing food; on soap and hygiene and life-saving medicine; on a safe, clean school with chalkboard, desks, paper and pencil first. Networking neighborhoods with an XO laptop just doesn't seem to me to be the missing link for developing nations like Haiti.

:apple:
 
The industry opinion is also mine. My suggesting that the malware susceptibility in System 9 (and earlier) influenced market share at the time was meant to be intentionally myopic.

Eh? Classic Mac had lower market share because of malware?:confused: If that argument carried any weight, then shouldn't Windows market share be around 1% now?

My primary premise is the industry's. If there are hundreds of millions of susceptible Windows machines available for the hacking, why would I waste my time hacking a smaller, relatively more secure selection of Macintosh computers?

Exactly my point. OS X has fewer malware because it is more secure. Hackers targets vunerabilities, not market share. Hence, Classic OS had malware despite smaller market share than OS X.
Window's idea of security is building a supposedly impenetrable outer wall...and that's it. Once the hacker gets past that, there's little to stop him. With the Unix underpinning of OS X, once the hacker gets past the moderately tough outer shell, he's still got a lot of security to deal with.
 
Technology

And what makes you think that these laptops are not part of that infrastructure? It's like when remote villages got their first cell-phone. People wondered what's the point in giving them phones, when they barely have any food to eat. But it was soon discovered that the farmers used that phone to survey nearby towns to determine which had the greatest demand for their products. It was used for remote healthcare and education. And it was of course used for communication between people.

the phone singlehandedly helped the community a lot, even though on the surface it was just a phone.


Then we gave them computers and the internet, and they turned around and used them to create scams and rip off the very people who gave them the technology for millions of dollars a year! ;)

I don't really know where those computers came from, and I'm not exactly anti OLPC, but stuff backfires sometimes.

No - I'd rather take my chance on the latrine and clean water; on clean, dry shelter; on nourishing food; on soap and hygiene and life-saving medicine; on a safe, clean school with chalkboard, desks, paper and pencil first. Networking neighborhoods with an XO laptop just doesn't seem to me to be the missing link for developing nations like Haiti.

I think I lean this way.
 
This is not a new idea. http://en.wikipedia.org/wiki/Selinux

It sounds easy until you get into the exact details. Like for example the browser does need to be able to read/writes it cache files. But it needs to be able to create and delete those files and this implies writing to the parent directory structure which means it can create and delete other files in the same folder even if it can't read those files directory access means it can delete them and create replacements.

A way to make this work is to label all the data and then implement both "mandatory access control" and "discretionary access controls" this almost exactly mimics the why classified documents are handled by real people. it say (1) every file has a "level" and if a program does not have a certificate to handle that level it can't look. So unless you have the "ultra-secret" clearance you can't see any ultra-secrets. But (2) the other system used at the same time also applies. Discretionary access means "need to know". So even if I can see ultra-secret stuff no one will give me those documents unles I'm working on a project that requires I have that document.

On a Mac you might have four levels "scratch files", "user documents" and "applactions" and "OS". Most of your software would have clearance to see only the first two levels. After that test Discretionary Access checks that you are looking at your own data, not data from another user and that if you are a test editor you are looking at a text file, not a jpg image.

I've used computers where all of this is implemented. There are standards that talk about how it works, you don't have to invent new science here

I agree. The OLPC security spec is naive and simplistic and unsuited to a modern general computer. It claims simplicity to the user, but relies on 'the installer' setting complex security options, as if some administrator will mediated these myriad complex permissions. Hardly simple for the user if they are their own administrator, and not very secure if you pass that responsibility on to an installer application.

You see this kind of nonsense in consultant's reports all the time. They have no experience and no idea, but they've latched onto a simple idea that sounds good on the surface, but won't work underneath. They don't know any of the detail to understand whether it will or won't work, and manage to sell it to their client because the client doesn't know either.

The client likes the idea, even though their underlings are trying to tell them it can't work. The client takes on the consultant, bullies their underlings into working with the consultant, chastises the underlings for being negative nay sayers and 'can't' understand why their computer project is years/millions overdue and still doesn't work.

This guy better have more than OLPC security up his sleeve if he's going to work at Apple. He'll get found out pretty quickly, though - unless in Jobs absence the 'managers' have taken over and can't tell/don't want to hear if it's crap.

If anyone's got any links for solid work from this guy - please post them. On the basis of http://wiki.laptop.org/go/OLPC_Bitfrost, I don't believe he warrants further investigation.

If Apple is thinking of bringing the brain-dead way the iPhone OS operates - preventing the user and apps from seeing their own data file system and preventing apps from sharing data - to Mac OS X or other Touch devices, like a media pad, we are in big trouble.

For too long now, iTunes, iLife, iWork and the Pro Apps have been trending towards compartmentalised environments, with dumb 'media browsers' or app specific databases (for example) to see other files. Apple's user community has been silent for too long & needs to rise up against this loss of personal control of our files before all Apple's OSs are as stupid/locked off, as the current iPhone OS.
 
It sounds easy until you get into the exact details. Like for example the browser does need to be able to read/writes it cache files. But it needs to be able to create and delete those files and this implies writing to the parent directory structure which means it can create and delete other files in the same folder even if it can't read those files directory access means it can delete them and create replacements.
The browser should write its cache files to ~/Library/Caches. On a system with FileVault, not doing that leaks unencrypted data onto the system disk. If Safari writes cache files to /tmp, that's a serious bug. You also have to fix vi, which has that same bug, though "set noswapfile nobackup" in .vimrc should work around the bug.

The systemwide solution for /tmp when you have MAC is to have multilabel directories, like in Trusted Irix.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.