×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Asks Security Experts To Examine OS X Lion

samzenpus posted more than 3 years ago | from the kick-the-tires dept.

Security 417

An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

417 comments

Am I reading this correctly? (4, Insightful)

Anonymous Coward | more than 3 years ago | (#35332628)

as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.

I'm sorry, what? Windows is "safer" than OS X? "In fact"?

Re:Am I reading this correctly? (1)

Tangential (266113) | more than 3 years ago | (#35332664)

I had the same thought? I've never seen a credible security report that claimed OS X is more insecure than any flavor of Windows.

Re:Am I reading this correctly? (5, Informative)

n0-0p (325773) | more than 3 years ago | (#35332936)

You're joking, right? Apple is historically months behind in patching publicly disclosed vulnerabilities in core libraries they share with other Unix-like systems (Samba and Java are two key examples). Overall code robustness is abysmal in any Apple product I've assessed--they fall over with trivial fuzzing or a few hours of analysis. They're an absolute pain in the ass to deal with when trying to resolve a responsibly reported vulnerability: they often don't seem to have qualified people triaging inbound reports, and when they do finally acknowledge the correct severity of a reported issue it can take years before they finally push out a fix. And to top it all off, their core security counter-measures (e.g. ASLR and NX) are useless as anything more than marketing fluff because they're not implemented consistently.

Seriously, I've been in the security field for almost 15 years and dealt with reporting vulnerabilities to dozens of companies. Microsoft is a pain to deal with because of their compatibility matrices and long release cycles, but they're generally competent. Whereas Apple is just an absolute train-wreck. The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort. If they ever cross the magic 15% threshold they're in for a very rude awakening.

Re:Am I reading this correctly? (4, Insightful)

Cheech Wizard (698728) | more than 3 years ago | (#35333006)

I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues.

Re:Am I reading this correctly? (1)

Shikaku (1129753) | more than 3 years ago | (#35333056)

Do you really think you are going to get a malware author to comment on why they don't write viruses for Macs?

Re:Am I reading this correctly? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35333086)

And they will still be saying that when/if Mac reaches 49% of the market. "It's less than half of the computers sold, not a big enough target".

Re:Am I reading this correctly? (5, Insightful)

PsychoSlashDot (207849) | more than 3 years ago | (#35333192)

I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues.

I completely sympathize. I've become tired of the same old excuses why faster-than-light travel isn't possible, just like you and the Apple malware thing. I mean, come on. Why don't they come up with new material?

10% of the personal computing market is Apple. That's it. Now, sure some of the remaining 90% aren't running Windows, but we know that since 2011 is The Year of Linux, the conversion isn't complete, so as of today the majority are.

Some excuses are repeated because they're... valid.

Re:Am I reading this correctly? (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35332668)

TFS is poorly worded; but refers to the fact that(while Windows suffers the, er, Lion's... share of attacks) Microsoft has been much more aggressive with rolling out architectural changes like ASLR, driver signing, etc. In pwn2own and like contests, the Windows systems are now most typically taken down by flaws in the (still deeply sucktastic) set of commonly used 3rd party software.

Re:Am I reading this correctly? (0)

Anonymous Coward | more than 3 years ago | (#35333108)

Baloney, Apple had ACL and Code signing, memory randomization, and disk encryption long before Windows rolled theirs out.

Re:Am I reading this correctly? (1)

Guy Harris (3803) | more than 3 years ago | (#35333140)

Baloney, Apple had ACL and Code signing, memory randomization, and disk encryption long before Windows rolled theirs out.

Not true for "ACL", if by that you mean "supporting ACLs on files"; NT had that in NTFS since Day One, OS X picked it up later (it originally just had the UNIX permission-bits model - ACLs showed up in either Tiger or Leopard, I forget which). I can't speak for the others, as I don't know when they showed up in Windows, but I'd still not assume OS X had them first.

Re:Am I reading this correctly? (5, Informative)

Colonel Korn (1258968) | more than 3 years ago | (#35332762)

as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.

I'm sorry, what? Windows is "safer" than OS X? "In fact"?

Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day. No matter what version has been current, OSX has always been less secure than Windows when both are up to date on patches. If Apple changes its security culture, it could mean big things for Apple in corporate environments.

Re:Am I reading this correctly? (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35332846)

If Apple changes its security culture, it could mean big things for Apple in corporate environments.

I don't think I'll live to see the day that I hear, "Nobody ever got fired for buying Apple," like I've heard for both IBM and Microsoft.

Corporations buy the OS that the applications run on. Period. Security will forever be a redheaded stepchild.

Re:Am I reading this correctly? (3, Interesting)

Anonymous Coward | more than 3 years ago | (#35332852)

Every single year, OSX loses the Pwn2Own competition first.

Could just be that the hackers want the mac the most ;-)

Re:Am I reading this correctly? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35332896)

Pwn2Own has never been about "which is more secure". It's *always* been about glory and headlines. It's also been said at least twice (2009 and 2010) that a primary motivation for hacking the Macbook was because it was considered more valuable.

Want to see which is the most secure OS? Hook a Win 7, OS X, and standard Linux install (let's say Ubuntu) up to an unfiltered network port and see which drops first.

Re:Am I reading this correctly? (0)

Anonymous Coward | more than 3 years ago | (#35333150)

That would pretty clearly be the OS X install that would drop first. In case you haven't been paying attention to the thread, simple fuzzing of IP packets will likely take the Mac out. Win 7 has a firewall by default and isn't allowing packets to reach anything vulnerable anyway. It is pretty much a toss up on whether the Win 7 or the Linux would stay up the longest.

Re:Am I reading this correctly? (1)

Anonymous Coward | more than 3 years ago | (#35332902)

You do know that in the pwn2own competitions the first person to successfully compromise the OS through the browser gets to keep the laptop (as well as other prizes)? If one wanted the shiny Apple computer, then they would go after that one first. People also know what's on the table, too, because it's announced that it'll be using Safari on the Mac version of the target computers. If a hunter knows their target, and knows a vulnerability, they can take it down easily.

Also, one competition, especially one with such prizes as the actual computer being targeted, is hardly a measure of overall security and system design.

Re:Am I reading this correctly? (1)

Anonymous Coward | more than 3 years ago | (#35332906)

Perhaps, but Microsoft is fixing arbitrary remote code execution vulnerabilities almost every single Patch Tuesday. I guess it's good that they are fixing them, but I would feel better if they didn't have the bugs in the first place (or at least if they didn't have so fucking many of them). I don't really pay attention to Apple's security record, but there's no way it can be worse than Microsoft's has been (though they are improving recently).

Re:Am I reading this correctly? (3, Interesting)

node 3 (115640) | more than 3 years ago | (#35332930)

You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.

Re:Am I reading this correctly? (4, Informative)

Kitkoan (1719118) | more than 3 years ago | (#35333052)

You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.

No, he means exactly what he said. OSX is less secure then Windows. Charlie Miller (the guy who takes down the Macs first) has mentioned this in an interview here [threatpost.com] . While Apple has improved their security, they are still behind Windows.

Many pundits have made a lot of the fact that the Mac was the first to be exploited in the Pwn2Own contest. Was the choice of the Mac as the first target because the hardware/operating system combo was more desirable as a prize than the commodity Windows laptops of the other competitors? Or was it just because Macintosh exploits occur with much less frequency than Windows exploits and would therefore be more newsworthy?

So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)

Re:Am I reading this correctly? (0)

node 3 (115640) | more than 3 years ago | (#35333146)

You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.

No, he means exactly what he said. OSX is less secure then Windows.
[snip]

None of which disputes what I wrote. Pwn2own goes for the Macs first, and every other system falls right afterwards. That's because they all fall at the same part. And in spite of how you interpreted the situation, Mac OS X is vastly more secure than Windows. It's possible Windows is theoretically more secure, but theory doesn't hold as much weight as reality, and reality is that on Windows, you need to be mindful of malware, and on Macs you don't.

In *theory* Windows *might* be more secure.
In practice, Mac is significantly more secure.

And Apple's current move with Lion shows they want to keep Mac OS X more secure in practice.

Re:Am I reading this correctly? (1)

Kitkoan (1719118) | more than 3 years ago | (#35333174)

You missed the last part of Charlie Millers answer to the question about security on Apple about how it compares to Windows.

now its mostly comparable (although still slightly behind).

That means that OSX security is mostly comparable but still slightly behind, ie not as good/less secure.

Re:Am I reading this correctly? (1)

Anonymous Coward | more than 3 years ago | (#35332980)

Every single year, OSX loses the Pwn2Own competition first.

Because Pwn2Own competition directly correlates to real world scenarios.

No matter what version has been current, OSX has always been less secure than Windows when both are up to date on patches.

A metric you just made up.

If Apple changes its security culture, it could mean big things for Apple in corporate environments.

All the OSX trojans, malware, and spyware is the reason why corporations stay away from OSX. When you need security you reach for a PC running Windows.

I honestly can't tell if you're trolling or genuinely believe what you typed. Since the early introduction of OSX every security "expert" and tech pundit has been shouting about OSX being insecure and prone to viruses. It's year 2011 and we've yet to see an exploit in the wild that wrecks havoc on Macs in practice. Every grave OSX vulnerability lives and dies on the seldom-read blogs of researchers.

Re:Am I reading this correctly? (4, Insightful)

Anubis IV (1279820) | more than 3 years ago | (#35333008)

So it may be less secure. That doesn't mean that it isn't safer. If I had an unlocked house in the middle of the countryside with no one else around, I'd be safe, but not secure. If I had an apartment in the ghetto with with bars on the windows and locks on the doors, I'd be secure, but hardly safe. Granted, the situations aren't that extreme here, but it bugs me when people conflate the two. While I don't believe that security through obscurity is solely responsible for the general lack of Mac malware, there definitely are less people making an effort at exploiting it compared to Windows.

Re:Am I reading this correctly? (2)

F.Ultra (1673484) | more than 3 years ago | (#35333074)

Windows and Linux always go down on the same day.

That's strange since Linux has never been a target at Pwn2Own...

Re:Am I reading this correctly? (1)

F.Ultra (1673484) | more than 3 years ago | (#35333084)

O wait, Linux was in the 2008 competition but no one hacked it, and in 2009 and 2010 Linux was no longer in the competition.

Re:Am I reading this correctly? (1)

mr100percent (57156) | more than 3 years ago | (#35333132)

OK, I'll bite. What does Apple have to do to "change their security culture"?

Use POSIX-standards of security and auditing? Check.
Have noted security experts examine their OS before its released? Yeah, that's TFA.
What is missing?

Re:Am I reading this correctly? (0)

Anonymous Coward | more than 3 years ago | (#35333188)

> If Apple changes its security culture, it could mean big things for Apple in corporate environments.

Meh. There are lots of reasons Macs aren't in corporate enviornments, and IMHO, this one is way down the list. If corporate IT is willing to run unpatched completely insecure systems (HBGary anyone?), then the speediness of Apple's updates obviously means nothing.

There's lots of comments about security _theory_ here, but the simple fact of the matter is that corporate networks go down when the MS boxes are hacked, what, 99 times out of 100?

Re:Am I reading this correctly? (4, Informative)

polaris20 (893532) | more than 3 years ago | (#35332848)

The wording is indeed poor. Charlie Miller (made famous by Pwn2Own, hacking OS X and iOS) has stated several times that OS X is not more secure than Windows, it is safer. Safer != Secure. He goes on to say he prefers OS X, and still recommends it over Windows. Would you rather be the guy wearing a bullet proof vest running into gun fire, or the guy wearing just a T-shirt, but not even in the same county? Until OS X reaches a level of market penetration that Windows has, it'll continue to be less attractive to hackers for profit. Sorry OS X users (myself included): our OS isn't the most secure out there. Security by obscurity isn't security.

Re:Am I reading this correctly? (3, Informative)

ZeissIcon (67281) | more than 3 years ago | (#35333128)

From the Charlie Miller interview mentioned elsewhere in this thread...

Another question from the Twittersphere: What OS/browser pairing to you use? Do you do anything special (beyond default settings) to secure yourself while browsing?

You're not trying to pwn me are you??? Have you ever heard the saying about the cobbler's kids not having shoes? That's me, I'm afraid. I use Safari on OSX with no special settings. This isn't the most secure combination, by any stretch of the imagination, but I like it. It's designed by Apple engineers to be easy to use and 'just work' and it does. The risk of malware is low, and hey, I'm a security expert right :) The risk of a targeted attack is real, except I don't think I'm important enough to be targeted! So I rely on security by obscurity, I guess

Re:Am I reading this correctly? (1)

kimvette (919543) | more than 3 years ago | (#35332966)

I'm sorry, what? Windows is "safer" than OS X? "In fact"?

Of course it is; look at how many patches Microsoft releases to improve Windows security. If Apple were better at their job they would release more patches, would they not? Obviously if Apple isn't constantly in firefight modes releasing patches, they're just being lazy. ;)

Good Old Apple... (0, Troll)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35332646)

They sure have increased their emphasis on security, now that they are in a position where insecurity might allow their customers to treat the devices that they own as such...

Re:Good Old Apple... (-1)

Anonymous Coward | more than 3 years ago | (#35332652)

mr. fuzzyfuzzyfungus, sir. i need to inquire about the status of your anus.

The opposite??? (-1)

BWJones (18351) | more than 3 years ago | (#35332656)

"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. "

Say, what? Is this FUD? No, seriously. I am unaware of *any* study that makes a compelling case for OS X being more insecure than Windows. Care to back up that assertion? Link?

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332682)

It has been on Slashdot and other web publications many times. Google is your friend.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332696)

The burden of proof lies on the one making the assertion.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332704)

Yes, we all know the FUD has been flying, he was asking for actual data.

Still waiting for the first Mac OS X virus in the wild...

Re:The opposite??? (3, Informative)

Shikaku (1129753) | more than 3 years ago | (#35332754)

http://en.wikipedia.org/wiki/Pwn2Own [wikipedia.org]

Pwn2Own contests regularly have Safari/Mac software as a valid winning target.

Is it good data? Maybe not. But the point is that Mac's aren't targeted much because the Windows desktop share is much larger (some figures say 90%). So while they can get viruses, it's not a valuable target for botnets.

Still waiting for the first Mac OS X virus in the wild...

http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O [symantec.com]

OSX.* near the bottom of the list. There's 13 on that list.

Re:The opposite??? (0)

mikael_j (106439) | more than 3 years ago | (#35332838)

Well, the pwn2own losses for OS X have all been due to flaws in Safari. While still serious it's hardly proof of OS X being inherently less secure than Windows or Linux.

Re:The opposite??? (2)

Daniel Dvorkin (106857) | more than 3 years ago | (#35332866)

And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!

GMAFB. You can talk about pwn2own all you want, but in the real world, no rational person doubts that OS X users are much, much safer from malware of all kinds than Windows users are. The market share argument doesn't hold water either, because in the "Classic" Mac OS days, there were in fact large numbers of genuinely dangerous Mac viruses in the wild -- not as many as PC (Windows and DOS) viruses to be sure, but a hell of a lot of them, as opposed to the effectively zero there are now. The millions of installed OS X machines running with default out-of-the-box setups would be a juicy target for malware authors, precisely because of the casual attitude most OS X users take toward security. If you're going to come up with a reason why this hasn't happened yet, other than just admitting OS X is inherently more secure than Windows, you're going to have to do better than a link to a Symantec list or a contest that represents security threats very different from those most users of all OSs face in everyday use.

Re:The opposite??? (1)

Shikaku (1129753) | more than 3 years ago | (#35332984)

GMAFB.

Is it good data? Maybe not.

Meaning I'm implying it's data, but probably only that. I said no such thing as MACS ARE SECURE HURR.

I actually don't care about this topic, AC asked for data.

And if I really want to, I can spin it the other way with Windows XP:

http://blogs.chron.com/techblog/archives/2008/07/average_time_to_infection_4_minutes_1.html [chron.com]

Which means that there are viruses that scan the internet for open security holes regularly at random IP addresses to infect other machines.

OH NO XP IS INSECURE, WE SHOULD ABANDON IT!

No, not really, it just means you should keep it patched, and not used EOLed OSes. If you are unlucky to have an XP without any SP for whatever reason, you should not connect it to the internet, and patch it offline.

So what is my point? The internet is dangerous where known and unknown threats can be found, but there are simple steps for each OS (car analogy: wear seatbelts) to help keep you safe, such as regular patching.

Re:The opposite??? (1)

Haedrian (1676506) | more than 3 years ago | (#35333024)

And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!

Alcatraz has had a number of jailbreaks. My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz!

Just because few people take advantage of such a system doesn't mean anything. Mac has a tendacy to pull out a large patch every few months or so - that's insecurity at its finest. Obviously if they had larger market share in this day and age, they'd be more viruses.

Re:The opposite??? (1)

AliasMarlowe (1042386) | more than 3 years ago | (#35332880)

Still waiting for the first Mac OS X virus in the wild...

McAfee [mcafee.com] lists 48 known "viruses" for OSX. Most appear to be Trojans giving remote access or subverting DNS. I perused a few of the McAfee descriptions, and it was not immediately clear whether these infections would be self-propagating (as one would ordinarily expect of viruses). Just like other *nix threats, they require the user to actively run the infecting program and enter a privilege-escalating password.
While not a Mac user or fan (Linux user, mostly), I am also mystified by the characterization of OSX as being less secure then Windows. Even turning to social engineering as a security hole, it's not certain that Mac users would be easier to subborn than Windows users.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332748)

Followed a few of those links, they say the opposite.

I'm not saying its true, but it seems a lot of people do say that's true.

"I'm not saying that Obama is a communistic atheistic muslim terrorist transvestite, but it seems a lot of people do say that's true."

That's not an argument, it's a drive-by shooting.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332938)

Obama is a communistic atheistic muslim terrorist transvestite

atheist AND a muslim? props to him if he can pull that off

Re:The opposite??? (0, Informative)

Anonymous Coward | more than 3 years ago | (#35332742)

you ever heard about Pwn2Own? OSX got cracked in about 2 minutes in one of the more recent contests. It was the first OS to be taken down. Win7 took awhile longer, since they already have experience in dealing with security issues (~90% market share tends to get you targeted a hell of a lot more).

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332800)

Hmmm... Security issues? Or is it more likely that a talented hacker would rather hack a £1500 Macbook Pro rather than a crappy generic Windows laptop?

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332840)

As soon as there is a virus that has actually affected macs worldwide come back to gloat. Hacking with rules is like doing science in a lab. Look how messed up global warming theories are.
Also one would think that Apple's 90% share of computers above 1000$ would make a better target than cheap ass pcs.
http://www.betanews.com/joewilcox/article/Apple-has-91-of-market-for-1000-PCs-says-NPD/1248313624

Re:The opposite??? (2)

xactuary (746078) | more than 3 years ago | (#35332768)

"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. "

"Security researchers won't hesitate to point out the opposite is, in fact, true when paid to do so."

There, fixed it for ya.

Re:The opposite??? (1)

rtaylor (70602) | more than 3 years ago | (#35332786)

Windows is really easy to lock down and control from a central location in a corporate environment.

I can't even imagine what deploying and maintaining 1000+ macs would be like.

Re:The opposite??? (5, Informative)

speedingant (1121329) | more than 3 years ago | (#35332820)

It's not bad actually... You need a MacMini server x2 to replicate each other, and push out the managed settings. You can authenticate machines via AD/OD/OpenLDAP. You can host the home folders off any NFS/AFP server. Netboot, netrestore etc makes deploying easy.. I'm looking after 150 Macs at the moment, as well as a host of PC's, and I don't have many issues. It' s just me.

Re:The opposite??? (1)

mr100percent (57156) | more than 3 years ago | (#35333148)

Easy, get OS X Server, make a standard disk image and either use NetBoot or have them reimaged regularly. Not that hard, there are numerous mailing lists and Howtos for it.

Re:The opposite??? (1)

zlogic (892404) | more than 3 years ago | (#35332788)

Apple has been insisting for years that OSX has zero viruses. Users start to think they're invincible and run any downloaded binaries without a second thought.
Apple is also releasing security updates (but less frequently than Microsoft). In addition, since Apple products "just work", sometimes they have to reduce security in order to make the product easier to use.

Re:The opposite??? (1)

polaris20 (893532) | more than 3 years ago | (#35332874)

There are no viruses in the wild for OS X. There are, however, Trojans in the wild. Not the same thing. However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it. BTW, you can easily run OS X in a non-admin account without issue, which is more than can be said for Windows 7, which is irritating as all hell unless you run as an admin. At least OS X has that going for it.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332942)

Actually, Windows 7 works great with a standard User account, with one exception - it won't let you install fonts. I really wish there was a separate permission somewhere for that.

Re:The opposite??? (1)

node 3 (115640) | more than 3 years ago | (#35332968)

However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it.

That's an odd take.

Anyway, as things stand right now, being "care-free" about viruses/malware is warranted. Once some actual outbreak occurs, or malware becomes more than a handful of trojans on pirated copies of Photoshop and iWork, the care-free days are over. But until then, what's wrong with accepting reality as it is as opposed to worrying about what might someday come to pass (but for over a decade now, hasn't)?

Re:The opposite??? (1)

polaris20 (893532) | more than 3 years ago | (#35333000)

Just because it's not widespread doesn't mean it doesn't exist. I don't see the harm in exercising a little caution and common sense when downloading and installing apps, even on OS X.

Re:The opposite??? (1)

jimicus (737525) | more than 3 years ago | (#35333016)

There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.

Re:The opposite??? (1)

bloodhawk (813939) | more than 3 years ago | (#35332798)

No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes, Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year. Many security researchers have been pointing out Apples Lax Security practises for a long time, seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332886)

While Ive never personally claimed anything beyond more "security" by obscurity... I would point out that at many of the hacking contests, the people targeting OSX do so specifically because they feel it is a smaller target. (fewer competitors? Easier to be the "only" one to know about a specific issue? whatever)

I will say that OSX has been phenomenally more stable than windows. Windows 7 was long overdue, and has held up pretty well, but it is stil a bit if a pain in the ass.

I am glad to hear that Apple is finally thiking more about security. They have relied on obscurity and "we have a Unix foundation" to get by for too long. They ceertainly have to tools and expertise... They just haven't had much of a reason until lately. If Apple starts really putting the Unix underpinnings in OSX to use, thinks about security, and does with the *nix enterprise management tools what they have with the GUI.. Windows could be in trouble in the enterprise... Not that Apple has ever really shown any interest in the enterprise...

Re:The opposite??? (1)

nighty5 (615965) | more than 3 years ago | (#35332948)

a great deal of these 'vulnerabilities' in OS X are from open source software projects which release the advisories.

i guess you haven't seen any security updates from Ubuntu/Redhat or any other UNIX, before have you?

when you release a UNIX distro with a ton of software using many different packages, frameworks and programmers with varying levels of appetite for security completeness, you are going to run into a myriad of issues.

MS also have their issues, but you can't compare apples with oranges.

Re:The opposite??? (4, Interesting)

node 3 (115640) | more than 3 years ago | (#35333040)

No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes

Yes, minutes... After the contest enters the phase where you can load files remotely. And minutes later, Windows and Linux go down (everyone attacks the Mac first, because pwn2own means you get to keep the computer you pwn, and everyone wants the Mac).

Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year.

Not remotely true. However it is true that in pure numbers, Apple patches more vulnerabilities than MS. These are primarily in Open Source products included with Mac OS X, and is seen as a strength, not a weakness. Also, Mac OS X patches tend to be local vulnerabilities, while Windows patches are far more often remote vulnerabilities, which are significantly more critical.

Many security researchers have been pointing out Apples Lax Security practises for a long time

Yet somehow the sky has never fallen. It's possible that Mac OS X is theoretically less secure than Windows, but it's absolutely certain that Mac OS X is, in actual real world usage, significantly more secure than Windows. Hands down, no-contest.

Pwn2own and "patches per year" are interesting metrics, but the only thing that matters is whether a user has to worry about their computer being compromised, and Mac users don't, Windows users do. It's as simple as that. Everything else is academic and hand-waving side-stepping of the actual issue.

seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.

Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason.

What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels.

Re:The opposite??? (2)

klubar (591384) | more than 3 years ago | (#35332814)

Question is... are there any restrictions on what the "security experts" can report? Is this a way to legally limit what they are allowed to say... in exchange for preview copies they sign a nondisclosure agreement to only report the issues to Apple? It seems that if Apple was really serious about security they would allow the experts (and others) to have access to the source code.

Doesn't surprise me (1)

Myria (562655) | more than 3 years ago | (#35332900)

It took them 8 months to fix a 10.6 simple kernel privilege escalation exploit I submitted to their security team last year.

It's x86-specific; otherwise, I would've sent it to the iPhone jailbreak hackers instead of Apple.

Re:The opposite??? (0)

Anonymous Coward | more than 3 years ago | (#35332954)

well, for instance, you have never been able to get past windows logon by simply entering a few thousand spaces as your password.. cant say the same about fadintosh

Why did they wait until now? (1)

kmdrtako (1971832) | more than 3 years ago | (#35332678)

I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.

Re:Why did they wait until now? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#35332744)

I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.

Mac OS X Lion was only released to developers this last Thursday. [macrumors.com] Bringing in security people to look at it earlier than that would require putting them under NDAs, which makes them effectively insiders and defeats the purpose of getting outsiders to look at it (i.e. peer review and sharing research results with other researchers).

I know that Slashdotters assert Apple as evil, but good grief, rein in the jingoism, please.

Re:Why did they wait until now? (0, Troll)

ynp7 (1786468) | more than 3 years ago | (#35332836)

Apple is a nation now? Geez, you Apple fanboys have it even worse than I imagined.

Re:Why did they wait until now? (1)

kmdrtako (1971832) | more than 3 years ago | (#35332924)

I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.

Mac OS X Lion was only released to developers this last Thursday. [macrumors.com] Bringing in security people to look at it earlier than that would require putting them under NDAs, which makes them effectively insiders and defeats the purpose of getting outsiders to look at it (i.e. peer review and sharing research results with other researchers).

Nope, I don't buy your argument. If they find something major now, the likelihood is it's not going to get fixed. If they found it six months ago, there's a lot better chance it could have been fixed by now.

Snow Leopard developer preview was June 2009, FCS was August 2009. If we can judge anything at all from that then Lion will ship in April or May. Three months is not enough time for a major overhaul if one is needed and QA, etc.

I know that Slashdotters assert Apple as evil, but good grief, rein in the jingoism, please.

Huh?

Re:Why did they wait until now? (0)

Anonymous Coward | more than 3 years ago | (#35332868)

They didn't. They already tried (ref [https://ssl.apple.com/support/security/commoncriteria])

"that the opposite is, in fact, true" (0)

javacowboy (222023) | more than 3 years ago | (#35332710)

"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true."

Have any quotes or links to back that up, Mr. Submitter?

Re:"that the opposite is, in fact, true" (3, Insightful)

Gaygirlie (1657131) | more than 3 years ago | (#35332828)

Have any quotes or links to back that up, Mr. Submitter?

Why would the submitter need to provide those? It's not his claim, it's a direct quote from the article itself.

And yes, among security researchers the general consensus indeed does seem that OSX is quite poor from security standpoint and I applaud Apple on their efforts in trying to beefen it up. It's hard to point one to some direct quotes on this as it's mostly just a comment here or there, but here's atleast two links:

http://www.techrepublic.com/blog/security/security-vs-popularity/4403 [techrepublic.com]
http://pcworld.about.com/od/securit1/The-Truth-About-Apple-Securit.htm [about.com]

Re:"that the opposite is, in fact, true" (2)

javacowboy (222023) | more than 3 years ago | (#35333070)

Doesn't matter. The submitter stated it as a fact. The article doesn't make much of a case for it either.

I won't say that OS X has a perfect security record, but Windows historical has an abominable security record. Things are much better now, but I still read about vulnerabilities in Windows 7 and IE, and Microsoft still patches very frequently after 0-day exploits come out.

Besides, the techrepublic link you posted still says that OS X's security architecture is much stronger than Windows and only really makes a case for saying that Apple's secrecy and slow patching are the problem, in addition to applications like Safari. Granted, Safari is distributed with OS X, but saying that the OS itself is insecure is very different from saying that individual applications are to blame.

Still, it's really an incredible claim to say that any OS can be more insecure than Windows. The reason Windows will always have security problems is the legacy baggage, including old APIs and developer expectations of users having administrator rights out of the box. A complete rewrite of Windows and elimination of any expectations of backward compatibility will be needed to address the fundamental security flaws in Windows' architecture.

Free work? (0)

Anonymous Coward | more than 3 years ago | (#35332718)

So they're asking for free work? I mean, it's not like we as a community (or security experts as a community) can take advantage of the knowledge put into these fixes. Not to mention that security consultants' time is expensive.

What an honor to work for free (1)

rdarden (87568) | more than 3 years ago | (#35332740)

How about paying reputable security researchers (or testers) to evaluate the software?

more secure (0)

Anonymous Coward | more than 3 years ago | (#35332756)

The problem is that security experts like to point out potential things that bad people could do, instead of actual bad things that bad people are doing. OS X is still one of the least attacked platforms out there, and most of the exploits that security researchers talk about finding are the sort that aren't going to be exploited by the people doing the exploiting. For example a LOT of the exploits that they talk about are for if you actually have physical access to the computer. Well I'm sorry to tell you, if you have physical access to the computer you're already boned!

wow a Free OS! (1)

Anonymous Coward | more than 3 years ago | (#35332766)

wow a Free OS! That will get lots of time and interest from highly paid security experts...
If they were actually interested in improving security they would put their money where their mouth is and start a bug bounty.

"security researchers" point out... (0)

Anonymous Coward | more than 3 years ago | (#35332776)

"security researchers won't hesitate to point out that the opposite is, in fact, true"

Without a citation or naming said researchers, I assume that anonymous/samzenpus pulled this out of their ass.

Much better link, avoids the FUD (0)

Anonymous Coward | more than 3 years ago | (#35332782)

This link avoid the FUD at edibleapple, http://news.cnet.com/8301-1009_3-20036218-83.html

(too lazy to login)

YAY !! APPLE IS BACK IN BLACK !! (0)

Anonymous Coward | more than 3 years ago | (#35332784)

I wonder what Steve will be thinking, cooped up in his emerald coffin six0feet under. Something like, HA! And they said I couldn't take it with me! HA! HA! HA!

Yeah !!

i miss the days... (0)

Anonymous Coward | more than 3 years ago | (#35332816)

...when /. wasn't completely over-run with nauseating Apple fanbois.

Enough with the felidae names already! (1)

Bobakitoo (1814374) | more than 3 years ago | (#35332894)

They should take a hint from Ubuntu. Their names always raise some complaint, but they are funny, intriguing and more importantly they sound like new stuff. Cat ++; is meh.

wtf (0)

Anonymous Coward | more than 3 years ago | (#35332990)

lemmy guess: HBGary? Tanja Nijmeijer must be using Macs

One Big Security Improvement In Lion (1, Informative)

lseltzer (311306) | more than 3 years ago | (#35333014)

IIRC, this is the version in which they will no longer deliver a Java VM. This alone will drop the vulnerability and patch count significantly. Can anyone with the preview confirm that it is/is not included?

More secure != Safer (0)

Anonymous Coward | more than 3 years ago | (#35333046)

Life isn't pwn2own. Now that Mac has finally joined Ubuntu in having a built-in app store, distrust of web-based software downloads should become intense enough to nearly eliminate malware. Whenever I'm presented with a person that says "go download this," my response is "when will this be in the Software Center." It's not a question, it's a statement. If it's not in Apple's, Google's, or Canonical's app store, there's a reason for that, and I'm not downloading it until I know what that reason is.

Actual Security Conversation (5, Informative)

99BottlesOfBeerInMyF (813746) | more than 3 years ago | (#35333058)

It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:

  • ASLR applied to more than just the libraries.
  • More ubiquitous use of the sandboxing framework, enough so that there are now bugs around applications being unable to save files if the file name changes in the Finder, while open in the app.
  • Dropping the custom java runtime, and making a deal with Oracle to maintain it alongside the Windows JVM.
  • A new full disk encryption system built in (branded the same as the old Filevault) with a rapid system wipe.
  • Webkit2 with a sandboxed thread model.

I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.

Yet another trolling summary (0)

Anonymous Coward | more than 3 years ago | (#35333136)

The summary is fucking awful in a long line of terrible abstracts which link to terrible articles and paraphrase things which aren't usually in the original article.

How much did edibleapple.com pay for this, incidentally? I note that this website had only 4 adverts on the linked page - amazing, well done! Usually I have to search for the 15 words of content within the advert.

Enough is enough, slashdot is not fucking AOL!

Maybe we'd get better service from AOL. When's the buyout?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...