Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Apple's Unlikely Security Mentor: Microsoft

Soulskill posted more than 3 years ago | from the now-use-head-for-something-other-than-target dept.

Microsoft 204

snydeq writes "Apple has much to learn about securing an operating system, and it could learn how from Microsoft, Roger Grimes writes in the wake of further evidence that Macs are more vulnerable to attack than Windows machines. 'It's taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft's former security leaders, Window Snyder, and it has adopted a modified form of Microsoft's Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.'"

Sorry! There are no comments related to the filter you selected.

joke?? (-1)

Anonymous Coward | more than 3 years ago | (#37071498)

Is this a joke or something?

Re:joke?? (1)

Talderas (1212466) | more than 3 years ago | (#37072034)

I certainly can't believe that Microsoft had a security leader named "Window".

Re:joke?? (1)

arbiter1 (1204146) | more than 3 years ago | (#37072438)

Look at MS as been aggressive at fixing things since XP, even providing free security software. Also look at end users MS has been for most part educating end users that they have to do preventive measures to keep their computers safe. Mac users generally think their OS is safe right outta the fox. I know i will be called a troll for saying this but its a fact and Leo Laporte for people who know who that is pretty much said that and yes he uses mac most the time.

Re:joke?? (-1)

Anonymous Coward | more than 3 years ago | (#37073110)

Macs come from foxes? I'll add that to the reasons why not to buy one then...

At least... (0)

kakyoin01 (2040114) | more than 3 years ago | (#37071512)

...the last sentence in the summary makes sense. Not so sure about the rest...

Re:At least... (0, Insightful)

Anonymous Coward | more than 3 years ago | (#37071798)

Well, Microsoft has mostly fixed all security problems. They're mostly either user stupidity or third party programs now, both which would work with all OS. Even, and especially iPhone, as the jailbreaking exploits have known. Apple currently has major security problems that will only grow if their OS gains more market share. Combine this with the fact that Apple has seriously kicked itself in foot when it has marketed their OS as virus-free and as something that can never get viruses. They still continue this practice too - when the last major Mac malware was going around, Apple told its customer service personnel to never aknowledge the problem to a customer.

Re:At least... (1)

next_ghost (1868792) | more than 3 years ago | (#37072174)

"Mostly fixed"? Excuse me, but which company just recently made a big ugly hack to at least partially patch the huge security hole caused by stupidity of third-party software vendors whose software without any good reason requires administrator privileges to run?

Re:At least... (1)

Anonymous Coward | more than 3 years ago | (#37072480)

Umm... Apple [youtube.com] ? without requiring even a third party software??

oh nos...

Re:At least... (1)

next_ghost (1868792) | more than 3 years ago | (#37072714)

Exploitable bugs are one thing. Building complete security infrastructure and then basically throwing it out the window and building another much weaker and completely superfluous one on top of it is quite another.

Re:At least... (1)

Anonymous Coward | more than 3 years ago | (#37072450)

You seem a bit confused. The malware you refer to was "scare ware" which used social engineering to convince users to install it on their machines. That's not something a PC OS can do much to prevent. It didn't harm the system itself which is something I'd expect an OS to try to prevent. Apple did end up fixing this for users by releasing software that identified this particular program and recognizable variants and removing them. That's a customer service not patching a security vulnerability. Different scare ware would still work. To date Mac users still haven't been infected by anything harmful other than through user stupidity. I'm not saying that it can't and won't happen or that the Mac OS is invulnerable. It's just your casting of recent events is wrong. Also, there has been no malware discovered on unjailbroken IOS devices either. You can thank the App Store for that. The 2 situations where you could even jailbreak an IOS device as a web drive by (version 1.0 and the one reported this summer) have been fixed. What compute device cannot be compromised if its in the physical possession of the perpetrator?

Re:At least... (-1)

Alex Belits (437) | more than 3 years ago | (#37071998)

Considering that Windows security model is still fundamentally broken, the last sentence doesn't make sense, either.

Re:At least... (2)

kakyoin01 (2040114) | more than 3 years ago | (#37072092)

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems. Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

Re:At least... (1)

registrationssucks (2352628) | more than 3 years ago | (#37072674)

Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

You can observe and learn from a fool as well as a mentor.

Re:At least... (1)

oh_my_080980980 (773867) | more than 3 years ago | (#37073076)

Ah the fools logic. Security exploits exist in Windows whether 1 person or a 1 million people use it. A million people using Windows did not suddenly create security holes. These holes existed before anyone used it.

Thus for OS X to be the same security risk, OS X would have to have the same type and number of security exploits as Windows.

It doesn't. Different OS. It's Unix based which is a hell of lot more secure than Windows.

Re:At least... (1)

Alex Belits (437) | more than 3 years ago | (#37073206)

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems.

NO.

Ex: Apache, the most popular and very secure web server.

Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

There is nothing to learn there. Windows "security" consist of kludges built on top of unworkable model -- it's best when it is least consistent. Apple just has to consistently use security model it already has.

Re:At least... (1)

kakyoin01 (2040114) | more than 3 years ago | (#37073318)

NO.

Ex: Apache, the most popular and very secure web server.

Oh, well excuse me for referring to the operating systems that most everyone uses on a daily basis on personal computers. Which this article is, as you may or may not know, primarily about.

Re:At least... (1)

kakyoin01 (2040114) | more than 3 years ago | (#37073332)

My mistake, I had only skimmed the original article. Servers are mentioned. But no need to get all RAWR about it, bro.

Re:At least... (1)

Goaway (82658) | more than 3 years ago | (#37072102)

Broken how?

Re:At least... (1)

0123456 (636235) | more than 3 years ago | (#37072484)

Broken how?

For a start:

"Application Helly Kitty Screen Saver wants to: Do crap you don't understand"

Do you press 'OK' or 'Cancel'? (Or whatever buttons Windows puts up in the UAC box, I haven't used it in months)

Re:At least... (1)

Gadget_Guy (627405) | more than 3 years ago | (#37072614)

So what should Helly (sic) Kitty Screen Saver do as an alternative then? I suppose it could split up the program into two separate processes running with different credentials, just like other programs do to avoid UACs.

But how is some badly written third party software a symptom of a broken security model?

Re:At least... (2)

0123456 (636235) | more than 3 years ago | (#37072698)

But how is some badly written third party software a symptom of a broken security model?

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree'), and now continues to support it so as not to break those badly written applications.

And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?

Re:At least... (0)

Anonymous Coward | more than 3 years ago | (#37073216)

The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit?

This. Jesus Fucking Christ, THIS.

How many babies would it have killed for them to have the More Details button show me the fucking file it's trying to write?!

Re:At least... (1)

Gadget_Guy (627405) | more than 3 years ago | (#37073226)

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree') and now continues to support it so as not to break those badly written applications.

That is incorrect. To get Windows certification you had to save your settings under the user's profile. Doing this lets software run under limited user accounts and allowed for roaming profiles so users could login on any workstation and have their configuration follow them.

Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the more popular OS developers could ignore Microsoft's pleas.

It was not Microsoft's fault that developers did the wrong thing. Eventually Microsoft was bound to piss people off by changing the defaults so that their software would stop working. Sure enough, they did it with Vista and everyone got surprised. But they did have a decade's notice of the API change, so the developers only had themselves to blame.

And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?

I agree. It is very frustrating that they do not have an "Advanced" button to let us see what the software is wanting to do. I suppose the problem could be that malicious apps could lie to the OS about what they were going to do with the elevated permissions.

However, that does not mean that the UAC is broken. It gives some protection when running as an admin, but it is even better when running as a limited user as it means you do not need to plan ahead to run some software as an admin user just because you will eventually want to make a system-wide change.

Re:At least... (1)

Stormtrooper42 (1850242) | more than 3 years ago | (#37072734)

I would press 'Cancel', for sure, considering I've never wanted this "Helly Kitty Screen Saver" to launch.

I get your point, though. Most users would click 'OK' without reading the dialog box (if they haven't already disabled the UAC...)
What do you suggest to prevent those "broken" users to do this?
Make it more annoying by requiring them to type a password, and not allowing them to disable this kind of messages? (Comparable to what Linux does?).

Re:At least... (2, Interesting)

next_ghost (1868792) | more than 3 years ago | (#37072618)

Let's see... The NT family of Windows has full security infrastructure based on user accounts and access privileges. However, that security infrastructure was completely turned off by default when Microsoft decided to merge the WinDOS family into Windows XP so that you could run legacy WinDOS software and software written by idiots without any additional setup. And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account. Does that sound like a sane security design to you?

Re:At least... (1)

wmac (1107843) | more than 3 years ago | (#37072110)

You are fundamentally blind.

Re:At least... (0)

smallfries (601545) | more than 3 years ago | (#37072166)

It is a good summary of a confused article though.

Final conclusions in the article are that while a mac is more secure than a PC, mac users are at more risk than PC users. Hmmm, fanbois line up on my left, haters on my right, and THREE, TWO, ONE.....

Apple just doing what MS has done for years (2)

Registered Coward v2 (447531) | more than 3 years ago | (#37071524)

MS is the typical fast followers - let someone else test the market; then jump in and take advantage of the new market while learning from the pioneer's mistakes. then push big to capture the market and crowd everyone else out. Once you're in you can expand and improve your product. It's been pretty effective for them over the years.

Re:Apple just doing what MS has done for years (0)

Anonymous Coward | more than 3 years ago | (#37072176)

MS is the typical fast followers - let someone else test the market;

..then purchase the #2 or #3 product, integrate it half-assed into your existing products, and *then* push big to capture the market and crowd everyone else out
After that, expand and improve your product if you feel like it. Or not.

So, yes, it has been pretty good to MS.

Wow (0)

Anonymous Coward | more than 3 years ago | (#37071526)

The guy is named after an operating system? That's hardcore.

Re:Wow (1)

OffaMyLawn (1885682) | more than 3 years ago | (#37071704)

Maybe he loved his work so much that he had his name changed. Which would make him not right in the cranium area.

Re:Wow (1)

cashman73 (855518) | more than 3 years ago | (#37071782)

Well, if he's going to be named after a Microsoft product, at least, for the most part, Windows is generally successful. Apple never would've hired him if he was named after Microsoft Bob,. . . We all know that Bobs don't make good consultants [imdb.com] ,. . .

A brilliant observation since (1)

Kupfernigk (1190345) | more than 3 years ago | (#37072144)

Her first name is actually Mwende

Re:Wow (1)

kelemvor4 (1980226) | more than 3 years ago | (#37072086)

.. or a hole in the wall.

Re:Wow (0)

Anonymous Coward | more than 3 years ago | (#37072170)

Didn't that Torvalds guy change his name to Linus after the operating system? ;)

Seriously, Window Snyder is a woman, and apparently that is her real name.

Obscurity Lost (1)

DrifterX79 (824302) | more than 3 years ago | (#37071528)

Once Mac was safe, supposedly due to obscurity. Actually it is still reasonably safe when configured right. But Apple will not take Microsoft's path. I really see this leading to the shift from MacOS to iOS in the Macs. Completely locked down and protected by gatekeepers.

Which wouldn't be so bad. I would give Unix/BSD/Linux/GNU a new place to fight for users.

Re:Obscurity Lost (2, Informative)

gubers33 (1302099) | more than 3 years ago | (#37071696)

Apple is still on safe due to obscurity, the corporate world almost strictly uses MS, while Apple has grown its user base in recent years, they have not touched the corporate market. Anyone will attempt to go after corporate before personal users because the reward is greater. MacOS is still the most vulnerable OS on the market. Yes, you can lock it down changing a lot of settings, but you can do additional configuring on Linux and Windows machines. MacOS doesn't lose Pwn2Own the quickest every year for no reason.

Re:Obscurity Lost (1)

BasilBrush (643681) | more than 3 years ago | (#37071944)

Yes, you can lock it down changing a lot of settings, but you can do additional configuring on Linux and Windows machines. MacOS doesn't lose Pwn2Own the quickest every year for no reason.

Well in part because Pwn2Own doesn't test Linux.

No, really they don't. Check it out:
http://en.wikipedia.org/wiki/Pwn2own [wikipedia.org]

Re:Obscurity Lost (1)

gubers33 (1302099) | more than 3 years ago | (#37072246)

True, I forgot they don't do Ubuntu anymore. However, in the phone part of the contest, Android is a Linux based OS.

Re:Obscurity Lost (1)

similar_name (1164087) | more than 3 years ago | (#37072368)

From your link

In the 2008 contest, a successful exploit of Safari caused Mac OS X to be the first OS to fall in a hacking competition. Participants competed to find a way to read the contents of a file located on the user's desktop, in one of three operating systems: Mac OS X Leopard, Windows Vista SP1, and Ubuntu 7.10 . On the second day of the contest, when the rules were loosened and allowed attack surfaces expanded to include Web browsers, Charlie Miller compromised Mac OS X through an unpatched vulnerability of the PCRE library used by Safari.[4] Miller had been aware of the flaw prior to the beginning of the conference and worked to exploit it unannounced.[4] The exploited vulnerability was patched in Safari 3.1.1, among other flaws.[7] At the end of the contest, only the Ubuntu system remained unexploited.

But yeah, that's the only reference to Linux I saw. Emphasis mine.

Re:Obscurity Lost (2)

Daniel Dvorkin (106857) | more than 3 years ago | (#37073282)

Three years ago is forever in security terms. "Pwn2Own doesn't test Linux," in present tense, is a true statement; and knowing the relative vulnerability of Leopard, Vista, and Ubuntu 7 tells you next to nothing about how Lion, Windows 7, and Ubuntu 11 stack up against each other today.

Re:Obscurity Lost (1)

next_ghost (1868792) | more than 3 years ago | (#37072440)

Actually, the last time Ubuntu was in Pwn2Own (2008), it was the only system that didn't get pwned. Oh, and see those Androids listed under Mobile Phones? That's Linux too. (Cue flame about Android not being Linux...)

Re:Obscurity Lost (1)

ceoyoyo (59147) | more than 3 years ago | (#37072208)

"Anyone will attempt to go after corporate before personal users because the reward is greater."

What? Most infections are aimed at creating bot nets and the payoff is WAY higher outside of corporations. They usually monitor traffic and are pretty good at cleaning up infected machines. Home users? Not so much.

Marketshare was a reasonable argument when Apple had 2% and shrinking. Now that they've got 10%+ and growing, it doesn't hold so much water. Not to mention that Darwin runs zillions of iPads and iPhones in addition to Macs.

Re:Obscurity Lost (2)

gubers33 (1302099) | more than 3 years ago | (#37072316)

For malware, yes it is better to target a home user. For exploiting a machine to gain access to their network and steal information, corporate. Not all exploits are malware related.

Re:Obscurity Lost (1)

shmlco (594907) | more than 3 years ago | (#37072280)

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video decoding, PDF decoding, and HTML decoding are already handled this way in Lion. (Not to mention sandboxing Flash into it's own tiny little world.)

As to market share, this meme needs to die. If one in ten Windows boxes had a wide-open security hole a virus could exploit, how long do you think it would take for someone to write it and attempt take advantage of it? A month? A week? A day? Well, one in ten computers are Macs, and we seem to have, ah, well, basically zero active viruses and botnets. It's no harder to scan millions of machines for that one-in-ten Mac than it is to scan for that one-in-ten exploit in Windows.

Corporate vs home? Are you nuts? Home computers are much more likely to have credit card numbers and passwords and back account numbers floating around. Home computers are much less likely to have current security updates and hot fixes installed. Home computers are much less likely to be behind firewalls and other active and monitored security measures.

And -- if you look at the numbers -- home computers are much more likely to have botnets and emailers and other malware installed.

Re:Obscurity Lost (0)

gubers33 (1302099) | more than 3 years ago | (#37072766)

I'm not going to argue with a fanboi, its like arguing with a wall. You already proved my point that Apple have a 10% market share to the what 89% Windows? I am not saying that Apple's security sucks, I am saying they still have the obscurity factor. However, fanboi's like you believe that Apple is the end all be all of computers and its security it almighty. It is not it wouldn't lose the faster in Pwn2Own every year if it were. Is Lion a big step forward in their security, absolutely, so is Windows 7 from XP (not counting Vista, since it never gained market share). Put your fanboi beliefs aside and look at the facts. Roughly 9 out of every 10 computers runs Windows, including the juicy targets in the corporate world that you could possibly hit as well. Apple lost Pwn2Own fastest every year. Say whatever you want you can not deny that fact. Yes, security has improved in Lion and Windows 7 and the various Linux OSs, but the attacks are evolving to counter these improvements. Like my professor said always said the only secure computer is the one that is turned off and unplugged.

Re:Obscurity Lost (1)

oh_my_080980980 (773867) | more than 3 years ago | (#37073196)

And I'm not going to argue with idiots. Saying Apple is more secure through obscurity is stupid. An OS does not have more security exploits or less security exploits because of the number of people using them. Security holes already exist in the OS, they were already present.

For OS X and Windows to be the same OS X would have to have the same type and number of exploits. OS X does not.

There are over 100,000 viruses for Windows. OS X has about 5.

Windows has more security exploits than OS X. That's a fact.

Re:Obscurity Lost (2)

VGPowerlord (621254) | more than 3 years ago | (#37073180)

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video decoding, PDF decoding, and HTML decoding are already handled this way in Lion. (Not to mention sandboxing Flash into it's own tiny little world.)

Windows doesn't have such fine-grained security controls (as least not to my knowledge), but there is a public API that a process can use to lower its privileges. IE is actually one of the programs that uses it.

The problem is, most programs (including things like Firefox) don't use this lower privilege mode.

Meanwhile (4, Informative)

CharlyFoxtrot (1607527) | more than 3 years ago | (#37071600)

Meanwhile actual hackers, like the guys who won the Pwn2own contests by beating OSX security, now say OSX Lion is more secure than Windows [macnn.com] (even though they previously freely admitted Snow Leopard was trailing Windows' [macobserver.com] latest offering in that department.)

"Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion."

Re:Meanwhile (0)

Anonymous Coward | more than 3 years ago | (#37071698)

One of the biggest improvements in Lion was proper sandboxing. Pretty much everything in Lion runs in a sandbox that gives it only the controls it says it needs in advance. I may be an Apple-hater in general, but that's damn smart.

Re:Meanwhile (0)

Anonymous Coward | more than 3 years ago | (#37071840)

I think you are confusing workstation security with enterprise security. The OS may be secure against malware/etc but the enterprise config may make it easy to break network security/sniff passwords etc.

Re:Meanwhile (0)

Anonymous Coward | more than 3 years ago | (#37072196)

And I think you are confusing parroting things you heard on the internet with actually knowing what you're talking about.

Re:Meanwhile (2)

goombah99 (560566) | more than 3 years ago | (#37071922)

sigh... windows security was highly compromised by a few very simple things. It encouraged users to be Admins by making simple tasks require admin, its registry required modifying system resource handles by untrusted apps, and it had no way to tag files as tainted after a download to warn users when they opened them.

Then the access controls that were implemented swung the pendulum too far too early. Unix permissions on a mac are useful while not being terribly difficult to maintain. The OS will take care of keeping all the critical ones set for you.

Macs also of course have a sophisticated ACL, but prior to LION no one seriously used it. It remains to be seen how it will get used.

The big new hopes are the No-Execute, randomized addressing, and sandboxing.

Sandboxing has been in macs since 10.4 but it is only coming into regular use in 10.7. For example Safari uses it to separate parsing from display. It's built into the OS, as it should be, so you are not relying on app makers to implement their own. It works really really well. but it's poorly documented.

I dont' see why anyone would think that Apple is a follower of MS. Well I guess we can credit MS for showing how bad designs can trap you in ways you can't shake off later without breaking everything.

Re:Meanwhile (1)

PickyH3D (680158) | more than 3 years ago | (#37072226)

Because for every "big new hope" security feature that you described, except default sandboxing for all (it has been in IE for awhile), Microsoft brought into Windows starting with XP Service Pack 2, which came out in 2004.

Re:Meanwhile (1)

0123456 (636235) | more than 3 years ago | (#37072426)

Because for every "big new hope" security feature that you described, except default sandboxing for all (it has been in IE for awhile), Microsoft brought into Windows starting with XP Service Pack 2, which came out in 2004.

I presume that's their point? They're beneficial, but can't fix Windows' poor design and decades of backwards compatible security holes.

Re:which linux had around 1998 (0)

Anonymous Coward | more than 3 years ago | (#37072458)

Some even earlier.

Re:Meanwhile (1)

LordLimecat (1103839) | more than 3 years ago | (#37073290)

Complex ACLs have been around since the inception of NTFS, and remain better than most other commonly used FS ACL options (someone is likely to make a fool out of me with such a broad statement, but oh well).

Re:Meanwhile (1)

farrellj (563) | more than 3 years ago | (#37071966)

These people are definitely better informed about the internals of the operating systems in question. Too many security "experts" simply know now to read books and articles written by other security "experts", and a number of them are paid shrills for various operating system owners. If someone can Pwn your system, then go and tell you both how and why they were able to do it, I would trust their opinion more than someone who is a talking head at some Magazine, Website or TV program!

Re:Meanwhile (1)

Baseclass (785652) | more than 3 years ago | (#37073120)

paid shrills

I wasn't aware there was a market for such a thing.

Re:Meanwhile (4, Interesting)

jimicus (737525) | more than 3 years ago | (#37072396)

IMV, Apple products/features over the course of the last 5-8 years follow a fairly straightforward model which can be broken down into a few steps.

1. Release Not-Terribly-Shiny Version 1.0. It may not be the most sophisticated in the world, it may have a whole heap of issues. But it will be released. The rest of the world says "ho-hum". It probably won't sell spectacularly, but it won't be an abject failure. (See also: First generation iPod. First generation iPhone. OS X when first released.)
2. Release Shiny Version n+1. It fixes most of the issues of the previous version. Technologically it's unusual for it to do anything new, anything that the competition doesn't already do. But what it does it executes with so much style, so much polish that the rest of the industry is left looking rather pathetic and scrabbling to catch up. It sells spectacularly. (See also iPhone 3G)
3. Apple will rest on its laurels. There will be updates to their products, but by and large they'll be relatively minor increments rather than ground-breaking "my God that's amazing" ideas. These will be released as Shiny Version 3.0 and 4.0. (See also iPhone 3GS, OS X versions 10.3-10.4).
4. The rest of the industry will catch up. Products will appear that compete with Apple's equivalent on features, price and polish. Then, just as people are starting to seriously question Apple and wonder what they're doing...
5. Repeat steps 2-4.

If I'm right, the iPhone 5 won't be a huge breakthrough over the iPhone 4. It may have a few tweaks here and there, but it won't be "Steve, take me now!" fantastic. The iPhone 6, however, will probably be leaps and bounds ahead of the 5.

Re:Meanwhile (2)

timster (32400) | more than 3 years ago | (#37072640)

Yeah but, on the other hand, talking to hackers, even information security experts, isn't really good enough. There are too many opinions out there and not enough facts.

The first problem is that we don't have any sort of useful objective metric to compare the security of various operating systems. "Number of vulnerabilities found" is unfair to the popular ones. "Severity of the worst vulnerability found" is useless because everyone has remote root exploits found from time to time.

And even an objective metric doesn't measure what really matters: the threat ecosystem. Windows had lax security for years, even years during which the Internet was common, and nobody cared much. But this lax environment bred an ecosystem of hackers, and especially criminal hackers, dedicated to compromising Windows machines for profit. Then Microsoft was asleep at the switch for a while and allowed this problem to grow out of control. Melissa should have been a gigantic red flag but they pretended that it wasn't their problem and that everyone should just buy a virus scanner.

Once this sort of problem has taken root it is very difficult to eliminate. Once there was a large group of intelligent, highly-motivated individuals with experience in breaking into Windows computers, they weren't going to disappear just because Microsoft released some patches. It took a substantial security effort over many years and even still the Windows-based criminal community is likely to be much larger than the OSX one or the Linux one or the iPhone one, even by proportion to user base (although I am not aware of any actual surveys).

Even if OSX were easier to break into in an objective sense, these people have experience with Windows and they're probably not eager to switch to a new system. So Apple has an easier time of things and this could remain the case for a while as long as they are aggressive about going after new threats. I do think they are correct to recommend against virus scanners in general, since foisting the problem of security off on a third-party (and usually an incompetent one) only masks the real problems.

Re:Meanwhile (1)

LordLimecat (1103839) | more than 3 years ago | (#37073256)

OSX Lion is also a whopping 3 weeks old, while Win7 is 2 years old. Want to bet that when Windows 8 comes out, it will be more secure than OSX Lion?

Regardless, you and I both know that when the next Pwn2Own comes along, the Probook is going down first. Where the money is, there will be the exploits.

what has Snyder achieved? (1)

Hazel Bergeron (2015538) | more than 3 years ago | (#37071630)

There are lots of "security professionals" who actually have very little technical knowledge, let alone technical knowledge specific to security.

Having vague ideas on a process doesn't mean having to hire a particular person.

What's actually going on here, Apple?

Re:what has Snyder achieved? (2)

synthesizerpatel (1210598) | more than 3 years ago | (#37072784)

I first met Window about 12 years ago, she was sharp and capable when it came to security. I doubt much has changed. In terms of achievement, not every achievement ends up being a big publicized event where implementors are handed plaques to commemorate the occasion. Security is a boring and incremental effort when you're trying to improve process.

So, I guess I'm a little biased with the (weak) personal connection, but don't hate just because you don't know who she is or what she's done.

Not unlikely at all (2, Interesting)

Anonymous Coward | more than 3 years ago | (#37071646)

Most security professionals (and even famous hackers, like pwn2own winners) today acknowledge that Microsoft security development practices are very good, and so are their latest OS. Everbody who has not devolved into pure fanboism understands that this can be the case even if they still have a higher volume of issues than Mac have for now.

Re:Not unlikely at all (2)

bberens (965711) | more than 3 years ago | (#37072146)

It takes a long time for "common knowledge" to change. Take for example American cars. Whether you think they're on par or not they have made a lot of progress in catching up with foreign manufacturers but are still largely considered inferior products.

Is that former MS Employee truly named "Window"? (1)

fortfive (1582005) | more than 3 years ago | (#37071672)

Could only be better if his last name was "Gaard."

Re:Is that former MS Employee truly named "Window" (3, Informative)

show me altoids (1183399) | more than 3 years ago | (#37071748)

It's a she, and her real name is Mwende.

Re:Is that former MS Employee truly named "Window" (0)

Anonymous Coward | more than 3 years ago | (#37071868)

Who did you think the OS was named after? Bill Gates' mom?!? Psht!

Re:Is that former MS Employee truly named "Window" (1)

rubycodez (864176) | more than 3 years ago | (#37072928)

hey, celebrity's moms aren't fair game, leave Blooscreena out of this.

Interesting (1)

Anonymous Coward | more than 3 years ago | (#37071722)

It is interesting to read the previous Slashdot article about the insecurity of Apple networks. The people pooh-poohing the research all get modded up to +5 and the actual researchers responses never do.

The main point is you cannot secure any version of OSX in an enterprise configuration. With the most recent versions of Windows you can.

Window? (1)

Marc Madness (2205586) | more than 3 years ago | (#37071756)

Am I the only person who finds it odd that a former Microsoft employee is named Window?

Re:Window? (1)

gubers33 (1302099) | more than 3 years ago | (#37071780)

I think it is pretty bad ass honestly. Apple better counter and hire some guy named Lion.

Re:Window? (0)

Anonymous Coward | more than 3 years ago | (#37071902)

lowe is german for lion.

Rob Lowe the actor for example.

Re:Window? (1)

rubycodez (864176) | more than 3 years ago | (#37072968)

almost, it's Löwe.

Leon is french for lion.

Re:Window? (0)

Anonymous Coward | more than 3 years ago | (#37073294)

Almost, it's lion.

Re:Window? (1)

BenoitRen (998927) | more than 3 years ago | (#37072012)

She's not only a former Microsoft employee. She has worked with Mozilla on Firefox's security as well.

Security is a *strength* for MS? Really!? Who knew (4, Interesting)

GSloop (165220) | more than 3 years ago | (#37071818)

'It's taken Microsoft 10 years to turn security from a weakness into a strength"

Really? A strength? Seriously?

Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....
Because Security is a "Strength" for Microsoft?

Honestly, while security *may* be better [and I'm not sure that's true] at MS, it certainly IS NOT a strength of theirs.

If that's the view of the moron who wrote this - I'll trust everything else written with the same level of massive skepticism. [i.e. It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.]

Re:Security is a *strength* for MS? Really!? Who k (2)

PhrostyMcByte (589271) | more than 3 years ago | (#37072496)

Really? A strength? Seriously? Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?.... Because Security is a "Strength" for Microsoft?

You'll notice a great majority of the exploits are found in old code. They've got quite rigorous security practices now, and their new code is benefiting greatly from it. I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.

Re:Security is a *strength* for MS? Really!? Who k (2)

GSloop (165220) | more than 3 years ago | (#37072834)

Pardon me if I'm not overwhelmed.

MS: "Yeah, your home is like Fort Knox - no one will break in through the new stuff we built. Mumble mumble mumble"
Me: "What was that mumbling?"
MS: "Well, everything is really secure, except the old stuff - like, you know, the doors and windows. That's old stuff. You can't hold us responsible, even if we built it. Only the new stuff matters and it's like a rock! No one will break in through the roof or walls!"
Me: "Ah, yeah - I feel so much better already!"

Sheesh.

If the new stuff is SO much better, and it's all that old crap code, then go back and fix it. Until then, I'll assume security doesn't matter much to you since while they can't break the "new" code - there's loads of old code that's full of holes. The practical experience is "it's full of holes." I don't much care where they come from.

[And even then, I don't yet buy the "Well the new stuff is so much better." because I don't see much evidence of it.]

-Greg

Re:Security is a *strength* for MS? Really!? Who k (0)

Anonymous Coward | more than 3 years ago | (#37073042)

> You'll notice a great majority of the exploits are found in old code

If said old code is still what's running, you don't get to use its age to dismiss it as a weakness. It's a weakness until it's fixed. Only after it's fixed do you get to brag about having turned weakness into strength.

Re:Security is a *strength* for MS? Really!? Who k (0)

Anonymous Coward | more than 3 years ago | (#37073264)

I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.

It's good to acknowledge this, since it's all that matters.

Everyone is always "on the path" to somewhere. For instance, everyone in the US is on the path to becoming billionaires. Every single person. Just ask them.

Likewise:
-GNU HURD is on the path to become the kernel for the GNU operating system.
-Enlightenment 0.17/E17 is on the path to a stable release.
-KDE 4 is on the path to a stable release.
-Paul Graham's Arc is on the path to become the next great programming language.
-Windows is on the path to being secure.

Re:Security is a *strength* for MS? Really!? Who k (0)

Anonymous Coward | more than 3 years ago | (#37072548)

It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.

Thats because you're holding it wrong.

sounds like doublespeak (4, Insightful)

v1 (525388) | more than 3 years ago | (#37071822)

It's taken Microsoft 10 years to turn security from a weakness into a strength

The only thing "strong" about windows security is the botnets that grow to 100,000 computers strong

Until MS expunges the litany of windows-running botnets from my inbox I'm not buying that BS. If they can take down the botnets, I'll acknowledge they've taken security seriously from a consumer protection standpoint. They can trot around the ring all day long yelling "We're tough on security now!" and I'll sit back with an "I'll believe it when I see some results" attitude. Put up or shut up. Ya I know, fat chance, but that's my opinion on it.

Re:sounds like doublespeak (0)

Anonymous Coward | more than 3 years ago | (#37072536)

What security scheme do you suggest? Requiring an IQ test before being allowed to buy a license?
If the user wants to run a program the OS can't (or at least shouldn't) stop him, even if that program does in fact send spam mails.

Re:sounds like doublespeak (1)

VGPowerlord (621254) | more than 3 years ago | (#37072950)

And, of course, they have a program you can add to Windows (but can't ship with Windows for antitrust reasons (thanks Symantec!)) called Microsoft Security Essentials [microsoft.com] to actually help protect against user stupidity,

If America was a family making $50k a year... (-1)

Anonymous Coward | more than 3 years ago | (#37071838)

They would also have over $300k of credit card debt. Can someone please explain to me how our debt situation is even remotely sustainable? We're counting on tax revenue from workers who have yet to exist! And how is it even remotely moral to borrow money from the taxpayers of developing nations to cover our extravagant corporate and social welfare expenses?

not that unlikely (0)

Anonymous Coward | more than 3 years ago | (#37072002)

Anyone who thinks MS and Apple are “unlikely” partners must have slept through the past 10 years.

Windows still sucks (1)

Anonymous Coward | more than 3 years ago | (#37072010)

With a ten-year head start, Windows still sucks.

does this mean... (1)

roc97007 (608802) | more than 3 years ago | (#37072022)

...that now every new version of OSX will run slower and slower?

Correction (0)

Anonymous Coward | more than 3 years ago | (#37072042)

There is a typo in the summary and here is the correction:

  "It's taken Microsoft 100 years to turn security from a weakness into a strength and it is still not as good as Unix."

Re:Correction (1)

1s44c (552956) | more than 3 years ago | (#37073080)

There is a typo in the summary and here is the correction:

  "It's taken Microsoft 100 years to turn security from a weakness into a strength and it is still not as good as Unix."

The important part being it's not as good as _ANY_ Unix, free or non-free.

I think the writer meant 'shambles' but spelled it wrong and it somehow it got spell checked to 'strength'.

Freetards are having a field day (0)

Anonymous Coward | more than 3 years ago | (#37072108)

Comment away, maybe that'll make Linux relevant on desktops.

Re:Freetards are having a field day (1)

1s44c (552956) | more than 3 years ago | (#37073022)

Comment away, maybe that'll make Linux relevant on desktops.

Ubuntu works better than windows on desktops. It's more secure, it's free, doesn't need a virus scanner because it's designed properly, and it comes with bucket loads of great software at no extra charge.

But if you like expensive, slow, and bug ridden OS's that team with viruses feel free to use windows. It's totally up to you.

The guy is called Window (0)

Anonymous Coward | more than 3 years ago | (#37072344)

Seriously? And he worked for MS? (this must be a glitch in the Matrix)

Weird (2)

iluvcapra (782887) | more than 3 years ago | (#37072800)

I really can't think of two companies that approach the problem from such different directions:

  • Apple has a very top-down developer/third party attitude about its relationship with developers. It loves them and everything, but they take the interpretation of their developer documentation very seriously, they don't give product or platform roadmaps, and they will change, deprecate and remove APIs such as their wont. To Apple, the computer buyer is the customer, and the developers are a sort of collateral operation. Microsoft sees developers as their main customers, and go to extraordinary lengths to make sure that if a program ran under some version of Windows, it will always run without the developer having to update -- if it runs once, Microsoft considers that a contract. This makes the platform much more stable and predictable but allows all sorts of bad behavior to go uncorrected.
  • Apple leverages lots of open source projects to provide the middleware on their platform; granted they sometimes leverage quite old versions of open source projects. Microsoft is committed to in-house development of the complete system -- you'd never see Microsoft ship OpenSSH, KHTML, or a Ruby interpreter with their operating system, they're much more apt to ship their own tools to accomplish the same things, with all the benefit and risk that entails.
  • Microsoft is committed to the PC as a platform for computing, and differentiating the "power" of a Real Computer to things like mobile devices or appliances, so they don't countenance things like sandboxes, curated app stores, the principle of least privilege -- they're much more deferential to developers. Apple is happy to impose much tighter restrictions system-level restrictions (in Lion, apps aren't even allowed to traverse the filesystem directly anymore, all of this happens outside the apps address space), and Apple is much less grandiose and much more practical about designing programming environments.
  • Apple sees the ultimate security of the system as the vendor's responsibility. Microsoft sees the ultimate security of the system as the user's responsibility. Pick your poison.

Obvious point here (2, Insightful)

1s44c (552956) | more than 3 years ago | (#37072948)

'It's taken Microsoft 10 years to turn security from a weakness into a strength.

Microsoft security isn't a strength, it's mediocre at best. This statement is just blatantly false.

Apple have problems but they are fixable because they started with a solid proven design, UNIX. Microsoft never had that advantage.

Yes MS would be a great security retsaM (1)

140Mandak262Jamuna (970587) | more than 3 years ago | (#37072974)

restaM is a security teacher. restaM is Master written backwards. To learn from a restaM you do everything the opposite way. If they do A you do !A. If they advice you to do B you do !B. This is how Apple can learn from Microsoft the security lessons. oops sorry. snossel !

far more resistant to malware (1)

microphage (2429016) | more than 3 years ago | (#37073250)

This article is total nonsence, malware can only be resistant to the end user not downloading and clicking on and entering the admin password, why it deserves a slashdot mention is beyond me.

lol (0)

Anonymous Coward | more than 3 years ago | (#37073302)

lol

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?