Apple hires former Windows security hacker to strengthen OS X

I'm sure she/he/it (?) will make a good addition to apple.

Edit: OK I'm a jerk. But that picture was a little jarring. Sorry
Edited by enjourni - 12/6/12 at 2:54pm

I was thinking she looked awfully manly, then read about the name change. Makes perfect sense.

Also good to see Apple making moved to improve security.

She needs to go work at Oracle if she is going to fix Java bugs.

Great! I am really glad Apple is not blind and still thinking they can't be touched.

I just hope that some day soon, the virus protection will be built in to the I/O controller so that all data in and out of the box is checked independently of the OS. This is a nice job for an Ax chip that checks every packet and every byte coming into the memory. This way, you can't hack it as easily as you can when it is dependent on the OS.

Yes, it will cost more, but for the protection of the Apple image, it will be worth it.

 

Touched by what, exactly?

 

We're up to how many trojans now?  6?

 

We get one (at most, two) every year. 

 

That's negligible. And not especially interesting either way, in light of the proliferation of iOS. 

 

They never thought that.

I hope they are putting more effort in than just hiring one person. They need to employ 100+ people to turn around a real lack of investment in OS X security.

@quadra 610, never said there was a large outbreak, or even a small one. But you can't rest on the fact that you are invincible. Having better security is always a great thing.

@tallest skil, the overall air about Apple is that they are invincible and security is far behind design. Sure, having a UNIX core really helps. Taking it to the next level as Apple always does, is the right thing to do.

 

Nothing with a network connection and wetware is invincible, nothing.

 

Apple knows this, the majority of apple users know this.

 

Why do people continue to indulge this fantasy?

 

You're putting on that air yourself. They have never said this.

 

Richard, why dose UNIX have better security? (Forgive my ignorance, newbie to all things A}

That's a great question. I know it's true but I wasn't able to rattle off a dozen things instantly as to why UNIX is inherently more secure than Windows. Because knowing and proving are not the same thing I will look for a more concrete answer other than "because."

edit: OK, a couple things are now coming to mind. UNIX was with multi-user operating system. Windows started out with the user was an Administrator. I'm not sure if that holds true today post WinXP with consumer versions being based on WinNT. Then there is way permissions are delegated but I wonder if MS has also adjusted that with Windows. I'd still say Windows is less secure of an OS but without a valid argument to defend it we can't rule out that is no longer the case, even if we say that used to be the case.
Edited by SolipsismX - 12/6/12 at 6:42pm

UNIX is also ancient (a good thing!) and so incredibly optimised and stable, with many potential security holes plugged a long time ago.

One person is great, but Apple needs a full-time staff dedicated to the problem of how to disable Java.

 

(Interesting that the article didn’t mention Java, the source of all the problems mentioned.)

no jailbreak?

I think she's a pretty convincing girl. I don't think OS X really needs much more in the way of security features, it already has sandboxing, GateKeeper as well as the standard Unix-y permissions.

It just needs people in the know to mosy around the code base, looking for problems. Maybe the Xcode static analysis could be enhanced to point out security issues?

@tallest skill: I have screen caps of the apple website. They have pretty much said this, even if they probably don't anymore.

Trans-gender, the original engineer behind the ARM architecture was also thus. Just a bit of trivia, glad to see Apple paying such attention to security issues.

I wonder... One thing that could fix any future problem is the mac app store.

 

Why don't we see more known Apps (especially free ones) on it? Chrome, firefox, onyx, dropbox, Skype, plugins like flash and silverlight, paid Apps like office (question of pride, eh?), autocad, etc.

 

Besides dropbox, all my apps (besides HL orange box from steam, and portal2) come from the MAS. I find it amazingly convenient, especially with updates, etc. And my sure that if Firefox was on it instead of chrome (for example), more people would use it as the 2nd browser.

 

Then you have Opera, when  you instal it it says that you must download the website version for complete support lol.

props to apple for caring about the insides of the person...

cue the explaination for... the difference between Transsexual vs Transvestite...
A Transsexual is for real (they permanently change their gender) and
A Transvestite is some one who "dresses" up as a woman...

the offense is when you mix up the two.

and the gender of a transsexual is the gender they are now, not the gender they were born with.

 

In Windows today, I believe your account is administrative by default, but they've changed permissions to keep things from administrators. 

 

So even if you manually change the permissions on some items so that you can edit or move them, it refuses to let you actually edit or move them. You can't even turn off 'read-only' status. 

 

Ooh, is this where I do my impression of the drill sergeant in that one movie? 

 

"PRETTY MUCH?! WHO SAID PRETTY MUCH?! HIKE UP YOUR DRESSES, GIRLS, BECAUSE I'M 'PRETTY MUCH' GOOD ENOUGH FOR YOU AND YOU 'PRETTY MUCH' GAVE ME CONSENT."

 

I'll say it again: Apple has never said this. Period. Get over that.

 

A mix of reasons: They don't want to give Apple a cut, the App Store boxes their applications in too much, etc.

 

P…plugins? You want to see Flash anywhere but a Wikipedia page that reads "Discontinued and legally banned"? Much less Silverlight.

I think the main reasons are the following:

- UNIX has always had the source code in the open so if people wanted to find vulnerabilities, they could be found more easily and fixed easily.
- UNIX systems have a better OS layout. One thing that Serlet always pointed to was the registry. The Windows registry is an easy place for malware to hide because it's a very complex database of keys that even if something was out of place, you couldn't really tell and just one or two keys can break the whole system.
- Windows systems have far wider hardware support and have such a huge amount of drivers that again, it's easier for malware to abuse. This is called "dll hell". You could far more easily hide a keylogger in there than with OS X.
- The permissions structure of UNIX systems is more sensible. They keep the core system isolated with higher permissions and it mostly doesn't change. Windows is such a mish-mash of structures that they end up hiding things you do need access to and not properly protecting some things you shouldn't touch. They are in a bit of a rut because unlike Apple, they don't have the luxury of abandoning legacy when they feel like it.
- The Windows program structure is messy. You have hierarchies of app folders with dependent files scattered everywhere. OS X apps are bundles so an entire app can be self-contained and easy to find and the Activity Monitor has a simple view of running processes - it would be nice if Apple's ones were labelled but it's a lot easier to spot suspicious tasks.

There are basically fewer places for malware to hide in a UNIX system. Windows does benefit from security by obscurity in that it's closed source. UNIX systems benefit from the low market share.

If UNIX systems had an 80%+ marketshare, you can bet there would be more security vulnerabilities taken advantage of but the OS design is still safer and more than anything easier to repair. If something did screw up the core OS, you can restore it easily and be up and running. You can't reset the Windows registry that way because it screws up all your apps. You can't reset all your dlls or you have to reinstall hardware again. The Mac system has a very clean separation here.

Adding more talented security staff like Kristin is icing on the cake (still essential though) because they can weed out the obscure vulnerabilities before anyone can take advantage of them - they actually issue updates for a lot of core software people won't even know exists so they sift through it all the time. I'd like to see them tie down some app functionality like externally linking dynamic libraries. One of the Java exploits does that with the browser. There are reasons to allow dynamic libraries to hook into apps at run-time but it's asking for trouble with Safari and it should be an explicit choice made by the user. Same goes for installing apps that just ask for an admin password - loads of legitimate apps ask for it and I want to know why it's asking so I can tell at a glance if it's doing something it shouldn't.

 

Oh I think he wanted to say that if Apple put this girl in OS X, they won't ever be .... touched ...

 

 

Are you omnipotent? How can you make grand statements about what Apple has never said?

 

That drill instructor had anger issues…

Don't the words 'With virtually no effort on your part…' also have the same weasely connotations as 'pretty much'?

http://sophosnews.files.wordpress.com/2012/06/mac-osx-before-after.jpg from

http://www.securityweek.com/apple-pulls-no-viruses-claim-marketing

 

I've heard Apple store geniuses tell customers 'Mac's don't have viruses', which may be technically true at any given point in time, but the tech world changes very fast. Encouraging users to believe they are completely safe can end up getting them exploited by a trojan/ malware or malicious WiFi access point instead. 

 

I do believe Macs are very safe, but I'm loathed to encourage average and non technical users to take it for granted.

 

…Be…cause I'm going off of what has been on their website, which is what they said. 

 

I don't… If I was saying that Apple HAD said something, you'd have a case. 

 

No, not in the slightest.

Thanks Marvin, very enlightening answer for this lad.... ta 

What I want to know is why it even had to be made a news item that this person was "formerly Chris."

That's a female name, too, so all that's been done is gossip without meaning. And now dudes are remarking about her in ways that have nothing to do with her skills. I know people are curious, but maybe she prefers to be private about it.

one thing everyone failed to mention....they hired an infamous WINDOWS hacker......why hire a WINDOWS hacker for a UNIX based operating system?

 

Apple never "thought they can't be touched." You're confusing the well-known fact that Macs are not affected by the thousands of Windows viruses (something that Apple has pointed out in advertising) with "can't be touched." This is merely your misunderstanding.

 

What Steve Jobs said to Walt Mossberg was that Apple has been fortunate that virus writers are more interested in Windows. He said that Mach OS kernel is very secure and while Apple takes security very seriously, that you should never say that you're hack-proof. I'm paraphrasing because I don't recall the exact quote, but it was at one of the D conferences.

 

You also have to remember that in the age before Mac OS X, the "classic" Mac OS of the 1980s era was very prone to viruses, and at one point in Mac's history, viruses primarily replicated via sharing infected floppy disks. The very act of inserting and then ejecting a floppy disk (without opening any files) could infect early Macs. Apple has no illusions about being untouchable.

 

Secondly, "stateful packet inspection" already exists in some commercial firewalls or proxy servers, but it's not a magic cure-all for every type of attack vector. And the "I/O controller" is the wrong place for it: virus/trojan/injection detection must be done at higher layers of the OSI model.

 

 

Correct.

"Great! I am really glad Apple is not blind and still thinking they can't be touched.

I just hope that some day soon, the virus protection will be built in to the I/O controller so that all data in and out of the box is checked independently of the OS. This is a nice job for an Ax chip that checks every packet and every byte coming into the memory. This way, you can't hack it as easily as you can when it is dependent on the OS." -Richard Getz

The problem is that malware doesn't have a unique signature like a virus, it is basically a normal program that tricks the user into installing it & giving it the rights it needs to wreak havoc. Gatekeeper was a HUGE step in the right direction and since for $100 a year you can sign your apps with a cert from Apple it's pathetic that many big developers like adobe or oracle aren't yet signing theirs. It would be nice to see some of these big companies get raked over the coals for being part of the problem by leaving users with no other choice than to set gatekeeper wide open if they want to use their plug-ins or apps.

 

With the price of certification so low, I should hope that Apple, on discovering that any instance of certification is being misused for malware purposes, would revoke said certification permanently, as well as turning over those in question to the authorities.

So we have worldwide networking, a higher marketshare, and a substantially higher number of units sold, a much higher installed base, and an phenomenally higher mindhare between Apple today and Apple during Mac OS "Classic" yet there is considerably less malware today. I'd say Apple is doing something right.

 

"No, you're wrong. There is more. Because they're more popular. That's why you need anti-virus on your Mac. They'll never be 100% safe. That's why you need to have it."

 

I was told this not two days ago. It has to be right.

There is certainly an argument to be made that a less known and/or less popular OS will be less of a target but when you compare malware Mac OS Classic to today the argument falls short as the reason why Mac OS X is less affected than Mac OS Classic.

 

 

http://www.adweek.com/adfreak/get-mac-viruses-94103 

 

(sorry, can't find them on apple.com) 

 

Page is 404'd, but Apple's pages always stated "while no system is 100% immune to viruses" or "while no system is completely safe from attack", etc. NEVER that they were perfectly, permanently secure.

 

Ah, fixed the link. That still doesn't refute what I said or prove him right.