or Connect
AppleInsider › Forums › General › General Discussion › Apple hires former Windows security hacker to strengthen OS X
New Posts  All Forums:Forum Nav:

Apple hires former Windows security hacker to strengthen OS X

post #1 of 37
Thread Starter 
It was discovered on Thursday that famed hacker and former Microsoft employee Kristin Paget is now working for Apple as a core operating system security researcher, suggesting the Cupertino company is beefing up OS X safeguards amid recent Mac-directed malware attacks.

Kristin Paget
New Apple hire Kristin Paget. | Source: Jean-Philippe Martin via Wired


When employed by Microsoft, Paget worked alongside a small team of hackers tasked to find security holes in Windows Vista before the OS was released to the public in 2007, reports Wired. The group apparently found so many flaws that Vista's launch date was pushed back while fixes were put in place.

According to her LinkedIn profile, as of September Paget is listed as being a "Core OS Security Researcher at Apple" based out of Cupertino. Previously, she held the position of chief hacker at security firm Recursion Ventures, but said in June that she wanted to find a job building "security-focused hardware."

Paget, formerly known as Chris Paget, gained notoriety for a number of hacker feats of strength, including a cellphone call-intercepting station at the Defcon hacker conference and a long-range RFID identifier duplication device.

While the hacker's responsibilites at Apple remain unknown, it can be speculated that she will be working to thwart future attacks like the Flashback trojan that affected an estimated 600,000 Macs in April. Most recently, a piece of Mac-targeted malware similar to Flashback was found embedded in a webpage dedicated to the Dalai Lama.
post #2 of 37
I'm sure she/he/it (?) will make a good addition to apple.

Edit: OK I'm a jerk. But that picture was a little jarring. Sorry 1smile.gif
Edited by enjourni - 12/6/12 at 2:54pm
post #3 of 37
I was thinking she looked awfully manly, then read about the name change. Makes perfect sense.

Also good to see Apple making moved to improve security.

"My 8th grade math teacher once said: "You can't help it if you're dumb, you are born that way. But stupid is self inflicted."" -Hiro. 

...sometimes it's both
Reply

"My 8th grade math teacher once said: "You can't help it if you're dumb, you are born that way. But stupid is self inflicted."" -Hiro. 

...sometimes it's both
Reply
post #4 of 37
She needs to go work at Oracle if she is going to fix Java bugs.
post #5 of 37
Great! I am really glad Apple is not blind and still thinking they can't be touched.

I just hope that some day soon, the virus protection will be built in to the I/O controller so that all data in and out of the box is checked independently of the OS. This is a nice job for an Ax chip that checks every packet and every byte coming into the memory. This way, you can't hack it as easily as you can when it is dependent on the OS.

Yes, it will cost more, but for the protection of the Apple image, it will be worth it.
post #6 of 37
Quote:
Originally Posted by Richard Getz View Post

Great! I am really glad Apple is not blind and still thinking they can't be touched.

 

Touched by what, exactly?

 

We're up to how many trojans now?  6?

 

We get one (at most, two) every year. 

 

That's negligible. And not especially interesting either way, in light of the proliferation of iOS. 

post #7 of 37
Originally Posted by Richard Getz View Post
I am really glad Apple is not blind and still thinking they can't be touched.

 

They never thought that.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #8 of 37

I hope they are putting more effort in than just hiring one person. They need to employ 100+ people to turn around a real lack of investment in OS X security.

post #9 of 37
@quadra 610, never said there was a large outbreak, or even a small one. But you can't rest on the fact that you are invincible. Having better security is always a great thing.

@tallest skil, the overall air about Apple is that they are invincible and security is far behind design. Sure, having a UNIX core really helps. Taking it to the next level as Apple always does, is the right thing to do.
post #10 of 37
Quote:
Originally Posted by Richard Getz View Post

@quadra 610, never said there was a large outbreak, or even a small one. But you can't rest on the fact that you are invincible. Having better security is always a great thing.
@tallest skil, the overall air about Apple is that they are invincible and security is far behind design. Sure, having a UNIX core really helps. Taking it to the next level as Apple always does, is the right thing to do.

 

Nothing with a network connection and wetware is invincible, nothing.

 

Apple knows this, the majority of apple users know this.

 

Why do people continue to indulge this fantasy?

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #11 of 37
Originally Posted by Richard Getz View Post
@tallest skil, the overall air about Apple is that they are invincible…

 

You're putting on that air yourself. They have never said this.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #12 of 37
Quote:
Originally Posted by Richard Getz View Post

@quadra 610, never said there was a large outbreak, or even a small one. But you can't rest on the fact that you are invincible. Having better security is always a great thing.

@tallest skil, the overall air about Apple is that they are invincible and security is far behind design. Sure, having a UNIX core really helps. Taking it to the next level as Apple always does, is the right thing to do.

 

Richard, why dose UNIX have better security? (Forgive my ignorance, newbie to all things A}

post #13 of 37
Quote:
Originally Posted by kennybouy View Post

Richard, why dose UNIX have better security? (Forgive my ignorance, newbie to all things A}

That's a great question. I know it's true but I wasn't able to rattle off a dozen things instantly as to why UNIX is inherently more secure than Windows. Because knowing and proving are not the same thing I will look for a more concrete answer other than "because."

edit: OK, a couple things are now coming to mind. UNIX was with multi-user operating system. Windows started out with the user was an Administrator. I'm not sure if that holds true today post WinXP with consumer versions being based on WinNT. Then there is way permissions are delegated but I wonder if MS has also adjusted that with Windows. I'd still say Windows is less secure of an OS but without a valid argument to defend it we can't rule out that is no longer the case, even if we say that used to be the case.
Edited by SolipsismX - 12/6/12 at 6:42pm

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #14 of 37

UNIX is also ancient (a good thing!) and so incredibly optimised and stable, with many potential security holes plugged a long time ago.

post #15 of 37

One person is great, but Apple needs a full-time staff dedicated to the problem of how to disable Java.

 

(Interesting that the article didn’t mention Java, the source of all the problems mentioned.)

post #16 of 37

no jailbreak?

post #17 of 37
I think she's a pretty convincing girl. I don't think OS X really needs much more in the way of security features, it already has sandboxing, GateKeeper as well as the standard Unix-y permissions.

It just needs people in the know to mosy around the code base, looking for problems. Maybe the Xcode static analysis could be enhanced to point out security issues?
post #18 of 37
@tallest skill: I have screen caps of the apple website. They have pretty much said this, even if they probably don't anymore.

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #19 of 37
Trans-gender, the original engineer behind the ARM architecture was also thus. Just a bit of trivia, glad to see Apple paying such attention to security issues.
post #20 of 37

I wonder... One thing that could fix any future problem is the mac app store.

 

Why don't we see more known Apps (especially free ones) on it? Chrome, firefox, onyx, dropbox, Skype, plugins like flash and silverlight, paid Apps like office (question of pride, eh?), autocad, etc.

 

Besides dropbox, all my apps (besides HL orange box from steam, and portal2) come from the MAS. I find it amazingly convenient, especially with updates, etc. And my sure that if Firefox was on it instead of chrome (for example), more people would use it as the 2nd browser.

 

Then you have Opera, when  you instal it it says that you must download the website version for complete support lol.

post #21 of 37
props to apple for caring about the insides of the person...

cue the explaination for... the difference between Transsexual vs Transvestite...
A Transsexual is for real (they permanently change their gender) and
A Transvestite is some one who "dresses" up as a woman...

the offense is when you mix up the two.

and the gender of a transsexual is the gender they are now, not the gender they were born with.
post #22 of 37
Originally Posted by SolipsismX View Post
Windows started out with the user was an Administrator. I'm not sure if that holds true today post WinXP with consumer versions being based on WinNT.

 

In Windows today, I believe your account is administrative by default, but they've changed permissions to keep things from administrators. 

 

So even if you manually change the permissions on some items so that you can edit or move them, it refuses to let you actually edit or move them. You can't even turn off 'read-only' status. 


Originally Posted by lightknight View Post
They have pretty much said this, even if they probably don't anymore.

 

Ooh, is this where I do my impression of the drill sergeant in that one movie? 

 

"PRETTY MUCH?! WHO SAID PRETTY MUCH?! HIKE UP YOUR DRESSES, GIRLS, BECAUSE I'M 'PRETTY MUCH' GOOD ENOUGH FOR YOU AND YOU 'PRETTY MUCH' GAVE ME CONSENT."

 

I'll say it again: Apple has never said this. Period. Get over that.


Originally Posted by pedromartins View Post
Why don't we see more known Apps (especially free ones) on it? Chrome, firefox, onyx, dropbox, Skype, plugins like flash and silverlight, paid Apps like office (question of pride, eh?), autocad, etc.

 

A mix of reasons: They don't want to give Apple a cut, the App Store boxes their applications in too much, etc.

 

P…plugins? You want to see Flash anywhere but a Wikipedia page that reads "Discontinued and legally banned"? Much less Silverlight.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #23 of 37
Quote:
Originally Posted by SolipsismX 
I wasn't able to rattle off a dozen things instantly as to why UNIX is inherently more secure than Windows. Because knowing and proving are not the same thing I will look for a more concrete answer other than "because."

I think the main reasons are the following:

- UNIX has always had the source code in the open so if people wanted to find vulnerabilities, they could be found more easily and fixed easily.
- UNIX systems have a better OS layout. One thing that Serlet always pointed to was the registry. The Windows registry is an easy place for malware to hide because it's a very complex database of keys that even if something was out of place, you couldn't really tell and just one or two keys can break the whole system.
- Windows systems have far wider hardware support and have such a huge amount of drivers that again, it's easier for malware to abuse. This is called "dll hell". You could far more easily hide a keylogger in there than with OS X.
- The permissions structure of UNIX systems is more sensible. They keep the core system isolated with higher permissions and it mostly doesn't change. Windows is such a mish-mash of structures that they end up hiding things you do need access to and not properly protecting some things you shouldn't touch. They are in a bit of a rut because unlike Apple, they don't have the luxury of abandoning legacy when they feel like it.
- The Windows program structure is messy. You have hierarchies of app folders with dependent files scattered everywhere. OS X apps are bundles so an entire app can be self-contained and easy to find and the Activity Monitor has a simple view of running processes - it would be nice if Apple's ones were labelled but it's a lot easier to spot suspicious tasks.

There are basically fewer places for malware to hide in a UNIX system. Windows does benefit from security by obscurity in that it's closed source. UNIX systems benefit from the low market share.

If UNIX systems had an 80%+ marketshare, you can bet there would be more security vulnerabilities taken advantage of but the OS design is still safer and more than anything easier to repair. If something did screw up the core OS, you can restore it easily and be up and running. You can't reset the Windows registry that way because it screws up all your apps. You can't reset all your dlls or you have to reinstall hardware again. The Mac system has a very clean separation here.

Adding more talented security staff like Kristin is icing on the cake (still essential though) because they can weed out the obscure vulnerabilities before anyone can take advantage of them - they actually issue updates for a lot of core software people won't even know exists so they sift through it all the time. I'd like to see them tie down some app functionality like externally linking dynamic libraries. One of the Java exploits does that with the browser. There are reasons to allow dynamic libraries to hook into apps at run-time but it's asking for trouble with Safari and it should be an explicit choice made by the user. Same goes for installing apps that just ask for an admin password - loads of legitimate apps ask for it and I want to know why it's asking so I can tell at a glance if it's doing something it shouldn't.
post #24 of 37
Quote:
Originally Posted by Richard Getz View Post

Great! I am really glad Apple is not blind and still thinking they can't be touched.
I just hope that some day soon, the virus protection will be built in to the I/O controller so that all data in and out of the box is checked independently of the OS. This is a nice job for an Ax chip that checks every packet and every byte coming into the memory. This way, you can't hack it as easily as you can when it is dependent on the OS.
Yes, it will cost more, but for the protection of the Apple image, it will be worth it.

 

Quote:
Originally Posted by Quadra 610 View Post

 

Touched by what, exactly?

 

We're up to how many trojans now?  6?

 

We get one (at most, two) every year. 

 

That's negligible. And not especially interesting either way, in light of the proliferation of iOS. 

Oh I think he wanted to say that if Apple put this girl in OS X, they won't ever be .... touched ...

post #25 of 37
Quote:

Originally Posted by Tallest Skil View Post

Ooh, is this where I do my impression of the drill sergeant in that one movie? 

 

"PRETTY MUCH?! WHO SAID PRETTY MUCH?! HIKE UP YOUR DRESSES, GIRLS, BECAUSE I'M 'PRETTY MUCH' GOOD ENOUGH FOR YOU AND YOU 'PRETTY MUCH' GAVE ME CONSENT."

 

I'll say it again: Apple has never said this. Period. Get over that.

 

 

Are you omnipotent? How can you make grand statements about what Apple has never said?

 

That drill instructor had anger issues…

Don't the words 'With virtually no effort on your part…' also have the same weasely connotations as 'pretty much'?

http://sophosnews.files.wordpress.com/2012/06/mac-osx-before-after.jpg from

http://www.securityweek.com/apple-pulls-no-viruses-claim-marketing

 

I've heard Apple store geniuses tell customers 'Mac's don't have viruses', which may be technically true at any given point in time, but the tech world changes very fast. Encouraging users to believe they are completely safe can end up getting them exploited by a trojan/ malware or malicious WiFi access point instead. 

 

I do believe Macs are very safe, but I'm loathed to encourage average and non technical users to take it for granted.

post #26 of 37
Originally Posted by Droid View Post
Are you omnipotent? How can you make grand statements about what Apple has never said?

 

…Be…cause I'm going off of what has been on their website, which is what they said. 

 

I don't… If I was saying that Apple HAD said something, you'd have a case. 


Don't the words 'With virtually no effort on your part…' also have the same weasely connotations as 'pretty much'?

 

No, not in the slightest.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #27 of 37

Thanks Marvin, very enlightening answer for this lad.... ta 

post #28 of 37
What I want to know is why it even had to be made a news item that this person was "formerly Chris."

That's a female name, too, so all that's been done is gossip without meaning. And now dudes are remarking about her in ways that have nothing to do with her skills. I know people are curious, but maybe she prefers to be private about it.
post #29 of 37

one thing everyone failed to mention....they hired an infamous WINDOWS hacker......why hire a WINDOWS hacker for a UNIX based operating system?

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #30 of 37
Quote:
Originally Posted by Richard Getz View Post

Great! I am really glad Apple is not blind and still thinking they can't be touched.
I just hope that some day soon, the virus protection will be built in to the I/O controller so that all data in and out of the box is checked independently of the OS. This is a nice job for an Ax chip that checks every packet and every byte coming into the memory. This way, you can't hack it as easily as you can when it is dependent on the OS.
Yes, it will cost more, but for the protection of the Apple image, it will be worth it.

 

Apple never "thought they can't be touched." You're confusing the well-known fact that Macs are not affected by the thousands of Windows viruses (something that Apple has pointed out in advertising) with "can't be touched." This is merely your misunderstanding.

 

What Steve Jobs said to Walt Mossberg was that Apple has been fortunate that virus writers are more interested in Windows. He said that Mach OS kernel is very secure and while Apple takes security very seriously, that you should never say that you're hack-proof. I'm paraphrasing because I don't recall the exact quote, but it was at one of the D conferences.

 

You also have to remember that in the age before Mac OS X, the "classic" Mac OS of the 1980s era was very prone to viruses, and at one point in Mac's history, viruses primarily replicated via sharing infected floppy disks. The very act of inserting and then ejecting a floppy disk (without opening any files) could infect early Macs. Apple has no illusions about being untouchable.

 

Secondly, "stateful packet inspection" already exists in some commercial firewalls or proxy servers, but it's not a magic cure-all for every type of attack vector. And the "I/O controller" is the wrong place for it: virus/trojan/injection detection must be done at higher layers of the OSI model.

 

Quote:
Originally Posted by Tallest Skil View Post

 

You're putting on that air yourself. They have never said this.

 

Correct.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #31 of 37
"Great! I am really glad Apple is not blind and still thinking they can't be touched.

I just hope that some day soon, the virus protection will be built in to the I/O controller so that all data in and out of the box is checked independently of the OS. This is a nice job for an Ax chip that checks every packet and every byte coming into the memory. This way, you can't hack it as easily as you can when it is dependent on the OS." -Richard Getz

The problem is that malware doesn't have a unique signature like a virus, it is basically a normal program that tricks the user into installing it & giving it the rights it needs to wreak havoc. Gatekeeper was a HUGE step in the right direction and since for $100 a year you can sign your apps with a cert from Apple it's pathetic that many big developers like adobe or oracle aren't yet signing theirs. It would be nice to see some of these big companies get raked over the coals for being part of the problem by leaving users with no other choice than to set gatekeeper wide open if they want to use their plug-ins or apps.
post #32 of 37
Originally Posted by hezetation View Post
Gatekeeper was a HUGE step in the right direction and since for $100 a year you can sign your apps with a cert from Apple it's pathetic that many big developers like adobe or oracle aren't yet signing theirs.

 

With the price of certification so low, I should hope that Apple, on discovering that any instance of certification is being misused for malware purposes, would revoke said certification permanently, as well as turning over those in question to the authorities.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #33 of 37
Quote:
Originally Posted by Suddenly Newton View Post

You also have to remember that in the age before Mac OS X, the "classic" Mac OS of the 1980s era was very prone to viruses, and at one point in Mac's history, viruses primarily replicated via sharing infected floppy disks. The very act of inserting and then ejecting a floppy disk (without opening any files) could infect early Macs. Apple has no illusions about being untouchable.

So we have worldwide networking, a higher marketshare, and a substantially higher number of units sold, a much higher installed base, and an phenomenally higher mindhare between Apple today and Apple during Mac OS "Classic" yet there is considerably less malware today. I'd say Apple is doing something right.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #34 of 37
Originally Posted by SolipsismX View Post
…yet there is considerably less malware today.

 

"No, you're wrong. There is more. Because they're more popular. That's why you need anti-virus on your Mac. They'll never be 100% safe. That's why you need to have it."

 

I was told this not two days ago. It has to be right.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #35 of 37
Quote:
Originally Posted by Tallest Skil View Post

"No, you're wrong. There is more. Because they're more popular. That's why you need anti-virus on your Mac. They'll never be 100% safe. That's why you need to have it."

I was told this not two days ago. It has to be right.

There is certainly an argument to be made that a less known and/or less popular OS will be less of a target but when you compare malware Mac OS Classic to today the argument falls short as the reason why Mac OS X is less affected than Mac OS Classic.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #36 of 37
Quote:
Originally Posted by Tallest Skil View Post

 

They never thought that.

 

 

http://www.adweek.com/adfreak/get-mac-viruses-94103 

 

(sorry, can't find them on apple.com) 

post #37 of 37
Originally Posted by Richard Getz View Post
http://www.adweek.com/adfreak/get-mac-viruses-94103 

 

(sorry, can't find them on apple.com) 

 

Page is 404'd, but Apple's pages always stated "while no system is 100% immune to viruses" or "while no system is completely safe from attack", etc. NEVER that they were perfectly, permanently secure.

 

Ah, fixed the link. That still doesn't refute what I said or prove him right.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple hires former Windows security hacker to strengthen OS X