back to article Apple's lone wolf approach to security will bite it in the rear

Apple may have minimal market share in desktop computers, but it has dominated the smartphone and tablet markets for years without any significant hacker exploits. Is Apple impervious to hackers, or is it just a matter of time before its luck runs out? The answer to both questions is a definite maybe. For years Apple has …

COMMENTS

This topic is closed for new posts.
  1. LarsG
    Meh

    Anything can be broken, anything can be got into, so no one system is immune. It's a question of the manufacturers taking a proper approach to the problem and the end user being sensible.

    1. RICHTO
      Mushroom

      What rubbish. It is the NT based OSs that are designed with 'security baked in' and UNIX that has to bolt on things like proper access ACLs and SEL to provide full security. Windows passed things like FIPS certification almost out of the box whereas Linux required massive changes to be made.

      This is largely why Linux servers are a much larger security risk than Windows ones: http://www.zone-h.org/news/id/4737

  2. Usually Right or Wrong

    The trend is social engineering

    Even Microsoft hacks are tending more towards social engineering of the end user to get them to install malware. Much as MS is criticised for having vulnerabilities over the years, it has made MS users aware of the pitfalls and more wary of clicking Yes or OK without thinking.

    Apple users are only starting this journey and Apple does not yet have the responsiveness of other software providers in that they provide security updates as and when they deem it necessary or a press release excerpts pressure.

    This is not a troll, I use MS, Android (even further behind Apple), and Apple and work in information security so am aware of what fixes are released, when and what promoted the fix and more importantly, how the exploits work.

    Few are now direct attack exploits compared to just 2 years ago, most expect a user to click somewhere to trigger the exploit, putting the major OS's and apps on a similar playing field.

    1. jai

      Re: The trend is social engineering

      Rather than a trend, it is more the current fad.

      As soon as a way is found to reduce the success of these social engineering attacks, then another method of attack will be chosen. social engineering attacks are only used now because previous vectors of attack are not longer so successful.

      you're comment suggests that Apple users are brand new to the social network scene and will happily click and install malware without suspicion. that's not the case.

      also, you suggest that because MS users have had malware installed in the past, they are more wary now? that's similar to suggesting that it's a good thing that your house burnt to the ground because now you'll be more careful about not leaving the gas on the cooker while lighting up a cigarette.

      1. Busted

        Re: The trend is social engineering

        My experience of mac users must be different to yours as about 90% of all the ones I support will just click yes yes yes to anything flagged in front of them. Windows users that I support however on the whole don't and I often get request to look at things they aren't sure about.

    2. Anonymous Coward
      Anonymous Coward

      Hence Gatekeeper

      Apple's front door is increasingly well guarded-the App Store and Gatekeeper systems are pretty good, sandbox most third-party apps, and give them a great mechanism for scheduled update checks as well (along with the server infrastructure to send updates out quickly...). The problem there is onerous sandboxing restrictions could soon drive a lot of popular apps elsewhere, which would defeat that advantage-they need to consider setting up a system to allow popular apps like SuperDuper that have to run outside a sandbox to get on the App Store (possibly with a disclaimer).

      The Java attack was devastating because it struck at a real back door: an area of OS X Apple had ignored, and didn't seem to be able to quickly update. I hope they've learned their lesson (in fact, did you know that upgrading to Mountain Lion uninstalls Java?) but they're now a major target for hackers, and I don't think they have much experience at dealing with that. Maybe they should hire people from Microsoft?

      1. Chet Mannly

        Re: Hence Gatekeeper

        "Apple's front door is increasingly well guarded-the App Store and Gatekeeper systems are pretty good"

        You mean apart from all those iOS apps that got through the front door downloading your entire contact list and other personal details without permission?

        Apple had zero clue about that until it hit the papers. Better to have a guard than none, but its far, far from infallible.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hence Gatekeeper

          "You mean apart from all those iOS apps that got through the front door downloading your entire contact list and other personal details without permission?

          Apple had zero clue about that until it hit the papers. Better to have a guard than none, but its far, far from infallible."

          Actually Apple had a huge clue about that--it was a very well documented and understood "feature" that apps were free to access your contact list.

          I have no idea how this was considered a good idea at the time of design but it was absolutely intentional. (And now we can argue about which is worse, poor security foresight or accidental security holes...)

      2. RICHTO
        Mushroom

        Re: Hence Gatekeeper

        Erm - but IOS could be rooted simply by visiting a webpage....

  3. asdf
    FAIL

    Sunoracle fail

    Once again regardless of the OS security starts first with removing the malware portals that are the oracle java VM as well as adobe flash and reader. For being built supposedly to be secure the java VM generates even more critical CVEs than even M$ these days.

    1. asdf
      FAIL

      Re: Sunoracle fail

      And as for inevitable down votes from the Java programmers, yes the language is useful and has its place but the official reference VM implementation has always sucked (along with many of the API's which even SUN quickly obsoleted but I digress) and it doesn't belong on the desktop of most users.

    2. Anonymous Coward
      Mushroom

      No

      Apple are responsible for Java updates on OS X now following the Oracle takeover. It's their problem. And I worry about this, because OS X Mountain Lion uninstalls Java when you update.

      I need Java for work, but I think Apple's decision after the Java malware fiasco may be to quietly declare Java deprecated, move the less-expert users away from it, and take the position that anyone knowledgeable enough to reinstall it from a terminal window can look after themselves with minimal attention paid by Apple to providing security updates in future. I think I may be about to become the victim of Apple's ruthless deprecation processes.

      1. Seanie Ryan
        Pirate

        Re: No

        removing java was a brilliant move. I woud say 99% of users we support never need java, so having it there just left a vector of attack. No one I know even knew it was there beforehand or what it was except a few programmers.

        I need java for 1 system i use and so, after upgrading to 10.8, i simply installed it again, and am aware of potential issues with it.

        why are people so bent out of shape on this? Need it , install it. Simple.

  4. Anonymous Coward
    Anonymous Coward

    Click yes by default ...

    ... is still the prevalent attitude for a lot of computer users. They are more afraid of saying no and having the message "they obviously didn't read" cause a problem then just say yes and go on with what they are doing. For years, I've given this simple security tip to anyone who's computer I have fixed. "Read the message. if you don't understand it, clicking NO is always the safer option". The few that listened I lost as costumers, because all the sudden, the computer stopped breaking.

    1. HMB

      Users don't want security

      Windows NT based products have good levels of built in security, 9x was a patched on disaster, sure, but NT has always been good.

      Microsoft's problem is that users don't want security. They don't want complicated passwords, they want their password to be "woofy". They don't want the screen dimming and a privilege escalation box. Hell, users don't even want to read system messages.

      Microsoft know their users, so do Apple. For Microsoft they've had to learn to give their users things they didn't want for their own good.

      1. Anonymous Coward
        Anonymous Coward

        Re: Complicated Passwords?

        It's not whether the password is complicated or not --- it's whether it gives unfettered access to the entire system or not

      2. Anonymous Coward
        Anonymous Coward

        Ahem...

        @HMB

        "Microsoft's problem is that users don't want security. They don't want complicated passwords, they want their password to be "woofy". They don't want the screen dimming and a privilege escalation box. Hell, users don't even want to read system messages."

        You bet I don't want screen dimming. It drives me nuts and is one of the first things I turn off anywhere I find it.

        I am perfectly capable of understanding a privilege escalation box without it thanks.

    2. Anonymous Coward
      Anonymous Coward

      Re: Click yes by default ...

      Wat

      You lost "costumers" because their computer stopped breaking?

      Wat

  5. Anonymous Coward
    Anonymous Coward

    I love OSX and my laptop is around 4 years old. A while ago it would have been a no brainer to upgrade to a new machine. But the fact my Mac Pro won't run the new OSX even though it runs faster than my laptop is just ridiculous.

    Okay, would you really expect them to write new EFI firmware for a 6 year old machine? I guess not and I would need to stick a new graphics card in it. Luckily I'm not that bothered as it's running Snow Leopard still, but it was a wake up call.

    I will have to see what happens with Logic Studio and see what OS it needs and if they're going to dumb that down like they did Final Cut. But they really are losing any credibility they had in the creative media industries. The really sad thing is how crap Windows 8 will be for doing anything remotely similar like music production.

    1. keithpeter Silver badge
      Linux

      Snow Leopard => Intel Mac Pro?

      Have a look at Ubuntu then. Try CinelerraCV for video (some of the FinalCut clients have started to use this). Try out Ardour and a sequencer. Don't forget stuff like PD in an fx loop....Jack audio is frustrating to start with but then you get to see the Frankenstein like possibilities.

      Back on topic: does a media production machine need an internet connection? If not, that is almost all of your security sorted, whatever the OS.

    2. Anonymous Coward
      Anonymous Coward

      They shouldn't

      This is probably tempting fate, but the reason for the FCP debacle was that they needed to completely rewrite it anyway-it was a Carbon app and needed to be changed to Cocoa to run as a 64-bit process, and they went overboard with the idea that FCPX could be born legacy-free. Logic Pro has been Cocoa for five years now, so no absolute need for a major rewrite.

  6. Nanners
    Stop

    Back on topic.

    Back to the security issues. People have been clamming it will bite apple in the ass (one day) since Jobs came back. It never has, and I'm pretty sure that it is just pissed off "security expert" talking. I don't trust "security expert" one lick.

    1. cyke1
      FAIL

      Re: Back on topic.

      Um if you didn't notice it already has, look back at flashback virus, MS had a fix for it within a day of it being announced in the wild, took Apple 2 months to release the fix for it. But in the end the biggest security flaw in the OS is the user at the keyboard. Windows users know what can happen very easy to your computer and are proactive most the time to fight it. Apple users on other hand mostly think their machine is just secure and not at risk for anything. Apple for longest time had on their website "we don't get virus" crap on their website, that is gone now.

    2. RICHTO
      Mushroom

      Re: Back on topic.

      Thats because OS-X has never had significant market share. At only circa 5% it smply isnt worth it for hackers...

      1. NotTellinYou
        Alert

        Re: Back on topic.

        LOL...uh huh...keep telling yourself that!

        So if your a hacker do you go after Windows users with all their anti-virus software installed on cheap computers or do you go after the MILLIONS of unprotected expensive Mac's with owners that actually have $$$$?

        Humm.... nawwwww...I'll go after the Windows boxes where I'll be lucky to infect a few thousand before I'm found out and stopped.

        Great logic!

        1. RICHTO
          Mushroom

          Re: Back on topic.

          A simple look at the statistics proves that you are wrong....Windows has far fewer security vulnerabilities than OS-X yet far more Malware. Therefore hackers clearly do make the choice to attack Windows.

  7. toadwarrior

    That article was pretty useless and doesn't have anything of value to really say. One of it's key points was over something that was a flaw with humans rather than software and largely due to the guy being a public figure with something of value that was relatively easy to take a hold of from a remote location.

    And yes OSX is vulnerable to stupid users just like all operating systems. The 100% full proof system is one that gives you zero freedom.

    1. ItsNotMe

      "The 100% full proof system is one that gives you zero freedom."

      And does not exist.

      1. Anonymous Coward
        Go

        Re: "The 100% full proof system is one that gives you zero freedom."

        You missed the opportunity to point out that iOS tries...

  8. Mike Brown
    Trollface

    never understood why there isnt a lot more viruses for macs

    if the customers are stupid enough to buy there over priced crap, then chances are they are stupid enough not to check there bank accounts!

    1. egal

      Re: never understood why there isnt a lot more viruses for macs

      If you're going to call others stupid best not to show ignorance with your grammer and spelling.

      there = their

      isnt a lot more = aren't more

      Or are you typing from a .......... machine?

      1. jason 7
        Facepalm

        Re: never understood why there isnt a lot more viruses for macs

        You might want to check one of those helpful but somewhat condescending suggestions.

        Just a thought.

      2. Mike Brown

        Re: never understood why there isnt a lot more viruses for macs

        oh noes, i have shown my lack of understanding and inteliigence becuase i cant type a correct order of symbols.

        poor grammer and spelling show nothing more than a poor grasp of grammer and spelling.

        1. Anonymous Coward
          Headmaster

          Re: poor grammar and spelling show nothing more than a poor grasp of grammer and spelling.

          No. They show poor use of the primary means of communication. They also show lack of understanding of structure and logic, which can be rather important in a technical field.

          It is impossible to post in a grammar-Nazi subthread without making embarrassing mistakes, so I'm just going to hit that submit button, because how ever many times I proof-read this, I will not spot mine. But everybody else will, immediately.

          (And, although my grammar is average plus, my spelling is lousy)

        2. icanonlyimagine
          Big Brother

          Re: never understood why there isnt a lot more viruses for macs

          'poor grammer and spelling show nothing more than a poor grasp of grammer and spelling.'

          If you say so...but it also shows laziness and lack of rigor, conversational dullness and impeded comprehension

          ...pretty much borne out by your inane comments.

        3. Anonymous Coward
          FAIL

          Re: never understood why there isnt a lot more viruses for macs

          @Mike Brown sez .. 'poor grammer and spelling show nothing more than a poor grasp of grammer and spelling' . You are correct. Grammar is irrelevant in this instance. The comment itself is sufficient to demonstrate your breathtaking ignorance.

      3. Kubla Cant
        Headmaster

        Re: never understood why there isnt a lot more viruses for macs

        "If you're going to call others stupid best not to show ignorance with your grammer and spelling."

        If you're going to call other ignorant, best learn how to spell grammar.

        Pot, meet kettle.

        1. tomban
          Headmaster

          Re: @Kubla Cant

          > If you're going to call other ignorant

          others?

      4. Anonymous Coward
        Anonymous Coward

        lol FAIL @ egal

        The amount of fail and irony in your post is hilarious.

      5. stu_ekins
        FAIL

        Re: never understood why there isnt a lot more viruses for macs

        Grammer = grammar

        Or are you typing on behalf of an actor......... called Kelsey?

  9. Justice
    Trollface

    Stupidity is the greatest hacking tool there is. The ‘One password to access them all’ mentality will be the undoing of the FaceSpace generation. One false move and All your clouds are belong to us.

  10. KimDavis

    Not recent

    Imperva didn't recently highlight this trend. The pdf linked to is from October 2011.

  11. jason 7

    Time for MS to....

    enable DEP and ASLR for all apps regardless and force a separate password protected admin account with standard user accounts.

  12. Alan Denman

    Confdentiality agreements

    Once you get your mis-behaving app past the Apple clerks its quite easy to do a scam.

    And the confidentiality agreement probably even helps you hide away once you are found out

    Lucrative would an understatement if this turns out to be true.

  13. LDS Silver badge

    What security breaches are used for? Crackers don't need a tablets botnet - yet....

    There is a misconception about attacks. Why someone attacks a device? To obtain a gain. That can be stealing your infoprmation, trying to deceive you and get money directly from you, or use your system to build more lucrative attacks, be it simple spam or hide an attack against a paying target.

    A lot of the malware around is used to build botnets for spam. That's why Apple products are not interesting to criminal hackers. It's far better to target Windows PC all over the world - you don't need a tablets/phone botnet - yet.

    Stealing informations - and I mean stealing more information that those mobile devices already steal and phone home because they are already designed so - is a new territory to be exploited - the more interesting informations get stored on mobile devices, the more they become appealing to crackers, and for "interesting" I do not mean some nude pics of celebrities. But remember some of those attacks may work *above* the OS - preferably through and in a browser. Moreover mobile devices have chances to connect to far less secure and reliable networks...

  14. Anonymous Coward
    Anonymous Coward

    Really?

    "whereas Windows has traditionally treated security as a feature to be added to the kernel, rather than baked right in"

    While that is very true for DOS/Win9X platform, is it simply not an accurate statement for the Windows NT kernel which has been in existence since 1993 and at the heart of most Windows desktops and servers for the last 10 years. Please do some reading!

    http://www.windowsitpro.com/article/windows-2000/windows-nt-and-vms-the-rest-of-the-story

    1. Roo
      Coat

      Re: Really?

      I think people overstate the similarities between VMS & NT. Granted there are some superficial similarities at kernel level, but in terms of the OS they are nothing like. I went from VMS 5.5-2 to NT 3.51 and they were not remotely similar from the point of view of an application developer, system administrator or user. I was very disappointed by NT, it promised much and delivered sweet F.A. I suspect that if they had pitched NT as a multi-user OS rather than something that runs on a single-user workstation the security and resource management aspects would have been in much better shape.

      It's a shame, Cutler & Microsoft had an opportunity to do something different and/or do something better, instead they copied an old OS and left all the good stuff behind. With 20/20 hindsight I would have like to have seen MS clone UNIX and put all their energy into making their UNIX the bestest. That was never going to happen because Cutler is quoted as hating Unix and on that basis I figure he would be unlikely to take the time to learn enough to copy the good bits and learn from their mistakes.

      Mine is the one with the VAX11 Architecture Handbook (c) 1979 in the pocket. :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        MS tried to use Xenix early on.......

        1. Anonymous Coward
          Anonymous Coward

          Re: Really?

          MS Didn't "try to use" Xenix, MS were the Xenix vendor/owner/developer - AFAIK there is still MS code or IP in bits of system v.

      2. Anonymous Coward
        Facepalm

        Re: Really?

        I had similar experiences to you - moved from SunOS to NT 3.51, which I found painfully slow but stable, then NT 4.0 came along and the stability went out of the window. Thankfully Solaris was still widely used, and then Linux took off, so I was able to return to a decently designed operating system.

        As for Cutler, my understanding is that he designed the core of a kernel, along with hooks for things like filesystem security. However, many of the major subsystems were designed and implemented by independent teams, which resulted in duplicated functionality (hence the two incompatible filesystem security layers). Then for NT 4.0 they basically broke the original design in order to improve performance. Not that the original design could of been that great - some processes are unkillable, and there's that annoyance where you can't delete (unlink in Unix terms) a file that's open in another process. As for being users being able to splatter files across pretty much the entire disk, it makes backing up a pain since you have to back up the whole drive. Finally, there's all the DOS baggage. Drive letters for example.

      3. RICHTO
        Mushroom

        Re: Really?

        NT was and is a fully multiuser OS and was sold as such for some uses. Just because the user experience was not the same doesn't mean it isn't so...

        They didnt copy an old OS at all - as the rest of your comments make clear! What they did was employ one of the best OS and kernel experts in the business to build an enteprise grade hybrid microkernel OS from the ground up......

    2. Ammaross Danan
      FAIL

      Re: Really?

      Let's correct a couple of things (so far):

      Speaking of Apple: "...but it has dominated the smartphone and tablet markets for years without any significant hacker exploits."

      So, the fact that each iOS version has been able to be rooted by jailbreakme.com isn't considered a significant hack/exploit? Not to mention the App Store's free in-app downloading vuln? For shame.

      "...Apple has long benefited from treating security as a first-class citizen in its engineering philosophy."

      Since when? Likely around 2003 when iOS was being developed. The article praises Apple over the "security-conscious" OSX, which is based on BeOS (Unix variant) of which Apple did not develop, but simply bought and slapped their GUI on top. The fact it was secure from the ground up wasn't Apple's doing, but something they lucked out in inheriting.

      I'm sorry, but stating: "Apple has long benefited from treating security as a first-class citizen in its engineering philosophy. This carries through to the design of Apple's mobile operating system iOS, as well." followed two sentences later by "Apple, which was somewhat blasé about iOS security early on, releasing the iPhone with serious security design flaws, has since smartened up about mobile security." is so contradictory that it hardly requires commenting. You can't "carry through" a strong security ethic, but then say that they were "blasé" about said ethic.

      1. Anonymous Dutch Coward
        Boffin

        Re: Really?

        Completely correct post! Though this being one of Mr Asay's masterpieces, the contradictions did not come as a surprise to me.

        1. Anonymous Coward
          FAIL

          re: Completely correct post!

          Other than Apple bought NeXT and not Be. A significant error I'd suggest. Oh and that the malware on the platform is statistically very low. But yes, completely correct.

      2. Anonymous Coward
        Anonymous Coward

        Nonsense

        OS X is not built on top of BeOS. I think you mean NeXTSTEP/OPENSTEP.

      3. Peter Gathercole Silver badge

        Re: Really? BeOS?

        Firstly, BeOS is *NOT* a UNIX variant. It was written from the ground up as a modular OS which was mostly POSIX compliant. True, it has Bash but....

        Secondly, I think that you must have meant that OSX was based on Mach (inherited from NeXT), which is a partly micro-kernel operating system with a BSD command set over the top. Again it is not a UNIX variant, but looks to all intents and purposes like UNIX because of the BSD command set (like Linux).

        1. Anonymous Coward
          Anonymous Coward

          Re: Really? BeOS?

          NeXT used Mach, but they didn't invent it. While OS X didn't decent from the original UNIX code base, it *IS* a registered official UNIX per the Open Group.

          1. Anonymous Coward
            Anonymous Coward

            Re: Really? BeOS?

            NeXT used Mach, but they didn't invent it. While OS X didn't decent from the original UNIX code base, it *IS* a registered official UNIX per the Open Group.

            Mach was based on the BSD Unix kernel, while the NeXT userland was based on 4.3BSD. It's since been updated with code from NetBSD and FreeBSD as it evolved into OS X. The result is that OS X is descended from the original Unix code base, but one that over time has had all the AT&T code replaced.

        2. Tom 38 Silver badge
          Headmaster

          @Peter Gathercole

          I may be misreading your post, but OS X is a UNIX operating system - both 10.6 and 10.8 have been certified to SUSv3, making them without question UNIX. However you may have been saying that Mach and BeOS where not UNIX, which is correct - BeOS is not even 100% POSIX, and Mach is just a kernel.

          BSD is possibly UNIX - they all descend from 4.4BSD-Lite (certified UNIX), and at least FreeBSD has a SUS compliance program, but none are certified. Linux is not UNIX, it is POSIX, but the cost of UNIX certification means most distributions concentrate more on LSB compliance, which is similar to, but not that same as SUS.

      4. Tom 38 Silver badge
        FAIL

        @Ammaross

        Apple are major sponsors of the TrustedBSD project, which aims on hardening BSD (and consequently OS X). It didn't exist before they started it, and it pays for the research of obert Watson and his team at Cambridge. It is fully open sourced, with major contributions from inside Cupertino.

        Security doesn't happen by accident.

      5. RICHTO
        Mushroom

        Re: Really?

        Yes, Apple 'treating security as a first-class citizen in its engineering philosophy' must be why OS-X has over 1700 known security vulnerabilities. For reference thats about 4 times as many as Windows XP and 8 times as many as Windows 7.

        In fact the only OS with a worse security vulnerability record is enterprise Linux distributions....

        See Secunia.org

  15. This post has been deleted by its author

  16. Winkypop Silver badge
    Joke

    Virus?

    Do we have an app for that?

  17. Anonymous Coward
    Anonymous Coward

    The Windows kernel has a very rich object based security model...

    ...far richer than that in unix. Trouble is that many Windows programmers still test their software with near or full admin privileges, and their code doesn't gracefully handle any of the security related exceptions or error codes the kernel helpfully provides. The Windows security model is enforced by the kernel.

    Unix security is basic: you don't run application software as root, and security is at the 'file' level, (deliberate quotes: unix people will know why).

    Most standard Windows programmers understand that files might not always exist, or be readable. They don't understand that opening a window might be stopped for security reasons so their software crashes in interesting ways, and, without the benefit of a unix like console, would have nowhere to write an error message to anyway.

    So historically, Microsoft has relaxed the security model by defaulting applications to run with more privileges than they should need.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Windows kernel has a very rich object based security model...

      Trouble is, the Windows NT security model is overly complex and there is duplication at the filesystem security level (there are two separate read only states for example). For most purposes a simple user and group system is adequate - but Windows shoehorns too much into its security model with the result that almost nobody uses it. However, in the Unix world, because the design is simple and consistent it allows more sophisticated security to be effectively layered on top.

  18. Justin Clements
    FAIL

    Who writes this crap???

    >>Apple, which was somewhat blasé about iOS security early on, releasing the iPhone with serious security design flaws

    One one hand the article complains that no hackers target OSX because it's a small minority and on the other hand claims that the security for iOS is 'blasé' yet there aren't millions of drone iOS installs out there when Apple has hundreds of millions of iOS installs!

    So make your mind up, Apple are either very bad about security, or very good. Which one is it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Which one is it?

      Whichever makes for a quick 700 words of content-free copy, I suspect.

    2. RICHTO
      Mushroom

      Re: Who writes this crap???

      Very very bad.

  19. Henry Wertz 1 Gold badge
    Happy

    "Indeed, as much as I and others have criticized Apple for its obsession with controlling the end-user experience from software to silicon, this same approach may actually make its systems more secure than more open approaches."

    Well, security through obscurity doesn't work. But, by traditional definition IPhones are not even a smart phone (a smart phone allows you to install your own software, as opposed to IPhone that only permits software via an app store. And, if you say "installing from an app store counts", then almost every phone Verizon's sold the last 10 years is a smartphone, including Motorola Razr and a whole raft of generic flip phones. However, this restriction in app source does reduce the available sources of insecure code.

    "What rubbish. It is the NT based OSs that are designed with 'security baked in' and UNIX that has to bolt on things like proper access ACLs and SEL to provide full security. Windows passed things like FIPS certification almost out of the box whereas Linux required massive changes to be made."

    Not rubbish at all. The NT kernel had ACLs all along, but they were not used properly for about a decade (out of the box). One specific version of NT4, services turned off, no network connected, on a specific Compaq server, met a mid-level FIPS -- FIPS requires the EXACT software, hardware, and configuration or the FIPS cert is invalid. This was not a practical setup (an NT4 server with no network connection?), it was just put together since certain gov't contracts required the mid-level FIPS certification. That Linux version with "massive changes"? That had a *higher* FIPS certification than that NT4 version could achieve; to acheive the mid-level FIPS rating that NT4 got, more or less for Linux you just have to turn off unncessary services then spend loads of money to have someone certify it (then, technically, never patch it since the FIPS cert is only as-shipped). Highest FIPS levels are not really useful for a general purpose system; they do not even permit the system to tell you things like the amount of RAM available, CPU load, or free disk space, because these numbers could be modulated by an app as a rogue communications channel.

    Realistically, UNIX is as secure as it is now because UNIX had it's "Microsoft moment" (viruses severe enough to disrupt entire networks) in the late 1980s. So they made sure to *use* ACLs, privilege seperation, and such and make sure the shipped default is secure then; Microsoft didn't have their big virus problems until 10 years later, and got to a much later start shaping up the rest of Windows to take advantage of the NT kernel's security. UNIX did tend to encourage following reasonable programming practices more than Windows of old, though; I'm sure Microsoft has had a bugger of a time increasing security without breaking each and every 1990s-era Windows app that people are still using.

    "This is largely why Linux servers are a much larger security risk than Windows ones: http://www.zone-h.org/news/id/4737"

    This post has nothing to do with the rest of what you are talking about; ok, so some random kernel bugs were exploited. No amount of ACLs and such will help if your smashing the kernel stack or getting your code to run in kernel mode or what have you.

    1. RICHTO
      Mushroom

      Just about everything you posted is wrong.

      ACLs have been fully used across the entire system right since NT 3.51.

      Actually with Linux you have to complete massive customisation to meet FIPS.

      NT4 is C2 certified, which was the highest level possible at the time for a general purpose OS, and ahead of any version of Linux at the time: http://www.linuxtoday.com/security/1999120400205NW

      1. RICHTO
        Mushroom

        Oh, and "The Windows NT 4.0 evaluation included servers and workstations in six different roles, operating in both TCP/IP networked and stand-alone modes.""

        So your claim that is was not networked is BS too...

  20. NotTellinYou
    Thumb Up

    Meanwhile...

    500,000 Android users in China were infected with malware that stole their backing information by looking at nudie pictures!

    OUTSTANDING!

This topic is closed for new posts.

Other stories you might like