Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
OS X Businesses Operating Systems Security Apple

Apple Cites Open Source Core Security 69

Posted by pudge from the you-wily-software-vet-you dept.
ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"
This discussion has been archived. No new comments can be posted.

Apple Cites Open Source Core Security More

Apple Cites Open Source Core Security

Comments Filter:

  • Yeah... (Score:4, Funny)

    by shfted! ( 600189 ) on Wednesday September 01, 2004 @10:03PM (#10134843) Journal
    With the skin peeled off the Apple, and the raw core exposed, it's easy to remove the rotten bits. Getting rid of the rotten bits is good, as it reduce the number of worms.

  • ...and this is why we love Apple. (Score:5, Insightful)

    by keiferb ( 267153 ) on Wednesday September 01, 2004 @10:08PM (#10134873) Homepage
    They're a (relatively) big company. Big companies are supposed to be evil, yet they do lots of Good Stuff(tm) like supporting and using OSS.

    This is what Apple's always done that's kept them around... their products are dirt simple, yet really powerful in hands that know how to put them to work.

    In the words of a motivational book-on-tape foisted on me recently, it's not enough to have satisfied customers, you need to create raving fans. I bought my first Apple (Pbook G4 1.25) in May, and I've been raving about it ever since. mmm.... iMac...

  • Hold Yer Horses! (Score:3, Funny)

    by CaptainCheese ( 724779 ) on Wednesday September 01, 2004 @10:25PM (#10134975) Journal
    I'd like to point out that Steve Jobs Did not say this.

    The fundamental difference? When Jobs says something is cool, it's cool. When random execs at Apple say something's cool it means nothing.

    At least, that's the way it seems to work...
    • -- .sigs are a waste of data...turn them off...

      You had me convinced, right up until I realized it was your sig that convinced me. Then my head exploded.

      • You had me convinced, right up until I realized it was your sig that convinced me. Then my head exploded.

        seemed the most obvious place to put it. I've always wanted to be a head-explodey-fu master. I shall call this attack "The nine fingered blow of the code monkey"

  • Odd they bring this up now (Score:5, Interesting)

    by Black Cardinal ( 19996 ) on Wednesday September 01, 2004 @11:12PM (#10135172) Homepage
    Especially considering how just a few days ago Steve Jobs was saying in an interview here. [alwayson-network.com] [alwayson-network.com] how they were trying to not be blatant about trumpeting this advantage to avoid becoming a target for viruses and other security breaches.

    Although, if Steve Jobs points that out in an interview, then how low-profile can it really be?

  • open source is like proofreading (Score:5, Insightful)

    by spineboy ( 22918 ) on Wednesday September 01, 2004 @11:49PM (#10135337) Journal
    Open source works for exactly the same reason why you have someone else proofread your paper/thesis before you turn it in. You've seen it so many times, that you don't really look at it anymore. A fresh pair of eyes will spot all sorts of wrong things, or come up with a more elegant way of stating something.

    I mean seriously - if something is important to you, do you just turn it in w/o someone else giving it the once over? My wife reads every talk I give and vise-versa. WE ALWAYS catch mistakes that the other person has made.

    It's a no-brainer.

    • Re:open source is like proofreading (Score:5, Insightful)

      by TheLink ( 130905 ) on Thursday September 02, 2004 @03:50AM (#10136454) Journal
      Most significant security problems are only detected by a few experts in the field.

      A million ignorant eyes won't be able to spot a buffer overflow even if it bites them.

    • And equally Open Source doesn't work because there is no controlled review process. In most (not all) projects only one pair of eyes will every consider a particular piece of code. Another may touch on it in passing. But seldom is each function thoroughly reviewed, line by line, for correctness.

      Open Source gives you the ability to have a million eyes inspecting the code. It doesn't necessarily cause that the happen.

      What we need in the FLOSS world is a code review system similar to Project Gutenberg'

      • Nice idea.

        Perhaps it can be done using a mechanism modeled on the slashcode karma/moderation/metamoderation system. (It seems that this might be valuable CVS functionality for some kinds of projects).

        The peer review of code is somewhat different from sifting the chaff in slashdot, but the parallel is there, and the automated negative feedback process that the slashadmins invented certainly solves some of the problems.

  • Does anyone else hear their ears ringing (even though this is on screen?) Apple, core? Ugh! Did the Apple dude mean to do that?! I suppose one could use text to speech to experience the effect with Victoria's emaculate voice.

  • Shame they left out the secure bits.... (Score:1, Interesting)

    by Anonymous Coward
    .... like setting ownership/permissions on tty devices with Apple X11's xterm.

  • Well... (Score:3, Interesting)

    by 0x0d0a ( 568518 ) on Thursday September 02, 2004 @12:58AM (#10135743) Journal
    Nice as this sounds and all, I have to point out that there's an awful lot of OS X code out there that is closed source.

    Though most of the directly network-exposed stuff seems to be generally open source (well, dunno about Rendevous).

    • Re:Well... (Score:4, Interesting)

      by prockcore ( 543967 ) on Thursday September 02, 2004 @02:07AM (#10136061)

      Though most of the directly network-exposed stuff seems to be generally open source (well, dunno about Rendevous).

      There's an simple rendezvous implementation that's open source called mDNSResponder. This is the library released for linux and darwin.

      However, this is not what OSX apps use for rendezvous. They call functions in the core services. The code in the core services is not opensource and probably uses little of the mDNSResponder library.

      But even if it did use the mDNSResponder library, just because it's open source doesn't mean it is secure.

      At the core of mDNSResponder is a single 318k file called mDNS.c

      It is really tough to work on because it is such a huge mess.. and this is the code they released to the public.

      • Re:Well... (Score:3, Interesting)

        by 0x0d0a ( 568518 )
        But even if it did use the mDNSResponder library, just because it's open source doesn't mean it is secure.

        Obviously -- but there's a pretty good argument that it helps improve security (other factors being held the same, naturally).
      • The OS X Rendezvous implementation uses a daemon called mDNSResponder. It's a 132k executable.

        The entire architecture is like that: Applications use frameworks, APIs and system calls to get services, which are often provided by UNIX daemons.

  • Evidence too... (Score:1, Insightful)

    by bullitB ( 447519 )
    Apple has been a great demonstration for the added security of OSS. Of the few exploits that have arisen, they've mostly been related to the parts of the OS that are still closed, like AppleScript [secunia.com] and Internet Connect.app [secunia.com]. Maybe they should expand their OSS efforts into these areas...

    (exceptions in recent libpng and libz exploits)

    • Re:Evidence too... (Score:3, Informative)

      by node 3 ( 115640 )
      "Of the few exploits that have arisen, they've mostly been related to the parts of the OS that are still closed"

      That's not even remotely true. When you run Software Update, Apple lists exactly what's being updated and all of the security updates have been primarily updating free software.

      And that doesn't even address your use of the word "exploits" as there have been none to date, just potential exploits and "proofs of concept" that are at best nominal exploits.
      • You're just proving the point of the article. Open source doesn't mean that there will be less security advisories(in fact, there will likely be more, because more people are looking for them), but that those that do appear will be fixed quickly and in most cases, before they can be exploited. For closed source stuff, it generally works the other way around-exploit and then patch. When discussing this, keep in mind how many more eyes OSS can train on code, and how much faster those patches can be created
        • "You're just proving the point of the article."

          I wasn't disputing the article. In fact I agree with the article. I was disputing that Apple's security flaws have been from their proprietary software and that the answer to their (nonexistent) problem is to open source the whole thing.

          "When discussing this, keep in mind how many more eyes OSS can train on code, and how much faster those patches can be created."

          I care nothing about how many eyes see the code as how many brains do.
  • OS X is not "secure" because it uses Open Source, it's less targeted because it has far less market share and Apple changes enough stuff that straight BSD and/or GNU vulnerabilities can't be exploited the same way as on other platforms (not to mention different byte code!).

    I'll also remind everyone that it has had it's share of URI handler problems, but of course people will claim they only had those problems because they used a closed-source browser. Well I've seen enough Mozilla and Opera security patch
    • I'd wager the real reason we haven't seen many worms from apple platforms is the clientelle. Its both small and likely to turn the computer off when not in use. No value in a target thats never on and difficult to propogate. Not like the thousands of servers running BSD, Linux, or Windows, with vast resources for storing pirated goods, sending spam or using as part of a DDoS.

      Of course, I'd hate to see what a few powerbooks infected could do with their builtin wifi. If nothing else, it should bring the airs
      • Dude, nobody turns off Apple computers. Even my iBook doesn't get turned off. Apple Computers go to sleep and wake up when you hit the space bar. Their power saving features are years ahead of anything Intel based.

        Its obvious you know nothing about Apple computers.

    • Re:Totally misses the boat on security (Score:5, Insightful)

      by node 3 ( 115640 ) on Thursday September 02, 2004 @04:14AM (#10136527)
      "People have an irrational hate for Microsoft"

      I wouldn't call it irrational. Sometimes people vent their anger irrationally, but the cause of that anger is generally quite rational indeed.

      And your assertion:

      "So really, there are two reasons why Mac OS has not had mass exploits:
      1.) Obscure
      2.) Not an emotional target"

      is pure speculation. If they were the sole reasons, then you'd expect at least one actual exploit to surface in the wild. I'm sure they are factors, but how about it's easier to write viruses/worms/trojans for Windows? And the fact that MS waits so long before security updates?

      In short, there are not, simply, "two reasons why Mac OS has not had mass exploits".
      • Personally, I don't really think Macs are "obscure" at all.

        Macs have been around for what, 20 years? I don't know a single graphic designer who hasn't at least spent a fair amount ( if not all) of their time on them.

        Obviously, Macs aren't number 1, but as regards *personal* computing they're definitely number 2. Macs have a huge mindshare. Macs are everywhere from schools to businesses to government and even science.

        Saying the Mac is obscure is like saying Zenith is obscure because Sony has #1 marketshar
    • OS X is not "secure" because it uses Open Source, it's less targeted because it has far less market share

      These things are not mutually exclusive. OS X may, in fact, be more secure because it uses open source, and also has fallen to fewer (zero?) exploits in part because it has smaller market share.

      I'll also remind everyone that it has had it's share of URI handler problems, but of course people will claim they only had those problems because they used a closed-source browser.

      True, but that was a prob
      • Well I think the response to Real Networks pretty much fits the description...

        As for the cheerleading squad, you can't go 6 inches on /. these days without running into some *n*x junky singing the praises of Apple. Just look at *n*x conventions and tradeshows over the last two years, the amount of laptops with an Apple on the lid is staggering.

    • So really, there are two reasons why Mac OS has not had mass exploits:
      1.) Obscure
      2.) Not an emotional target

      You're at least partially right, though there is room for disagreement (the way Windows puts all the metadata about executability in the file extension is a fundamental flaw, I'd say).

      In the end, it doesn't matter why Mac OS X has fewer security problems - it only matters that it does have fewer problems.

      Right now, if you're using file formats and applications that are standards-based and/or cros

      • In the end, it doesn't matter why Mac OS X has fewer security problems - it only matters that it does have fewer problems.

        Yes and no.

        Yes, in that of course, for you and I in there here and now, this is most important in practical terms. We can both get on with our work with fewer hassles.

        No, in that the why is important for several reasons. I think it's important to look at the obscurity angle, and break it down into two areas. 1) is that obviously because there are fewer Macs as compared to Windows mac

      • A third reason that Macs have fewer attacks is that fewer of the l33t kiddies actually own them.

        There's no way I could write code that attacked a Mac without having one to play with - and I don't.

        I've got a collection of PCs and a collection of Sun boxes, but no Macs.

    • The difference is, in OSS software, vulnerabilities and exploits tend to get fixed
    • If obscurity were the reason for such few exploits then we'd expect there to be many more attacks on Apache than there are.
    • There's a whole class of security vulnerabilities in Windows that did not trouble any other operating system or application environment, at least until people started copying them. And they've only begun to show up elsewhere... if people push hard enough, maybe they can be kept from spreading...

      I'm talking about "cross zone exploits". Until Microsoft merged the desktop and the browser the whole idea of a program that was designed to handle untrusted documents, particularly something like a web browser, tha

    • A default installation of the consumer-version of OS X ships with zero network services turned-on by default. Run nmap at a fresh installation of OS X on the same network, you won't get a single hit.

      Windows has FOR YEARS shipped with network services that were turned-on by default that the vast majority of end-users would never need. Start with IIS. samba. xmlrpc. FOR YEARS windows machines have been exploited without the help of their users, for just being "turned-on". The most virulent cases really st

    • People always talk about no-one attacking OS X because of it's market share, and it being a "low value" target.

      We saw, when the proof-of-concept virus came out, the media jumped all over it. Imagine the attention the first real OS X virus would get!
  • Virus writers tend to be driven by the desire to get recognition for their work from peers or some strange satisfaction from hacking other people's computers. With this logic, OS X should be a prime target. It has been out how long now? 4-5 years and it still has not had any exploits in the wild. Who wouldn't want to be the *FIRST* to write and receive credit for an OS X exploit? If they're trying, they're not having much success. If they're not trying, why not? I don't think that it is obsurity that
  • Big company uses open source = big company gets cheap labour fixing bugs.

Slashdot Top Deals

All seems condemned in the long run to approximate a state akin to Gaussian noise. -- James Martin

Close