Apple Hires Former OLPC Security Director 144
imamac writes "It seems Apple is seeking to beef up security by hiring Ivan Krstic, the one-time director of security architecture at One Laptop per Child. 'Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac.'"
Re:I am lost here . . . (Score:4, Interesting)
Re:I am lost here . . . (Score:5, Interesting)
Let's see here. The guy that invented a good security system (nerd) is hired by a large corporation (news). So far we have nerd and news covered. Now let's see, how does this matter? As macs gain popularity they also garner the interest of people looking to make exploits for them. Apple is trying to head off the tide a little so they can still market as being more secure than their main competitor. Personally I'm a Freebsd/Linux fan, but for all the mac users out there I think that it matters. So there you have it, News for Nerds, Stuff that matters. Or maybe News about a Nerd, Stuff that Matters.
Comment removed (Score:3, Interesting)
Re:Ha (Score:4, Interesting)
Someone seems to be methodically modding down any comments that disagree with the submitter.
Re:So trivial there's only one (Score:4, Interesting)
If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them.
There were also viruses for the Apple IIGS, hardly a market leader.
That's a tired old troll you have there, sir.
Re:So trivial there's only one (Score:3, Interesting)
So they're only vulnerable to the hobbyist hackers... where are the successful malware examples from that group?
If the argument is that it's not worth anyone's time, then shouldn't you say that we don't know how vulnerable it is? I don't trust Apple implicitly, given how buggy early releases of many of their product seem to be, but this unfounded speculation does seem to be a popular troll that's used equally effectively against Linux. Try being a bit more responsible.
Re:So trivial there's only one (Score:2, Interesting)
I personally haven't heard of any exploit in the wild except the trojan, for which the user has to be willing to provide their password to any old bit of software with unknown providence - to be honest I don't know how one could protect against that on any system.
Luckily, Ivan Krstic knows how. From a CNET article [cnet.com] about Bitfrost:
Instead of blocking specific viruses, the system (Bitfrost) sequesters every program on the computer in a separate virtual operating system, preventing any program from damaging the computer, stealing files, or spying on the user. Viruses are left isolated and impotent, unable to execute their code.
Re:So trivial there's only one (Score:3, Interesting)
I totally agree with you, but /. to degenerate the topic into "Macs are swiss cheese.." "no! widnows is swiss cheese".. etc..
grrr.. trust
I'm really interested in hearing about Krstic's security philosophy and it's merits/demerits. I found this talk on zdnet [zdnet.com] but there's only about 5 minutes of actual security architecture info in it at around 40:00 into the video. Oh, and there's also this BitFrost overview on Wikipedia [wikipedia.org]. I think there are some cool concepts there. The idea of sandboxing all apps into containers with sets of standard rights, and restricting IPC to certain approved mechanisms is pretty interesting. Was hoping poeple could focus on BitFrost and Krstic's security philosophies so we could all learn something.
Re:So trivial there's only one (Score:3, Interesting)
I don't believe that for Linux, and I certainly don't believe that for Windows.
Face it guys, OS X is built on a BSD userland with the same OpenSSH you all know and love. It uses the same owner/group/others file permissions. It ships with an excellent firewall, and no open ports by default.
IMO, it's as safe as Linux. The smart users will only ever see trojans and home-dir-deleting "viruses", and the dumb ones that type their password will get owned.
The probability of hitting a Mac, and then having the user enter their password into a random unexpected popup is too low for Macs to be a viable target.
Re:I am lost here . . . (Score:3, Interesting)
How can threats from untrusted code (or vulnerabilities in trusted code) be able to exploit a JTAG header on the board of the device?
Unless, of course, you think that the owner of the device is somehow a "security threat"? I keep meeting people who think this, and I really don't understand it at all...
(actually, Krstic's Bitfrost system is *does* implement some local physical security, but that is to address a very specific threat: theft)
Re:And in other news... (Score:3, Interesting)
Apple execs have put down their glasses of marketing Kool-Aid and joined the real world.
Apple has always been a bit erratic when it comes to security, owing to their odd blend of cultures. To suggest, however, that they've been ignoring security is more than a little misguided. Leopard included the addition of a MAC framework ported from TrustedBSD, an application signing framework, and ACLs restricting some exposed services (like zeroconf) that would have been vulnerabilities otherwise. Apple has done a very good job of shipping an OS hardened enough to deal with the level of worm and virus infections facing it in the wild. Now, with trojans being a bigger concern, they bring in a person who helped write and implement a pretty decent MAC implementation for general, if limited use. With luck this may be the beginning of a new era of consumer level trojan mitigation, something Apple already laid the groundwork for but has not really implemented the UI and market components for.
Basically I disagree with you that Apple has been ignoring security and I disagree that OS X is as vulnerable to most classes of real world threats as Windows. I see this as Apple making a good hire that fits with their current security strategies, assuming that is what they hired him for.