Linked by Thom Holwerda on Mon 1st Apr 2013 12:25 UTC
Apple "Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. [...] It isn't. It's a troubling symptom that suggests Apple's self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn't going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple's entire ecosystem of devices, stores, software, and services."
Order by: Score:
Ironic
by darknexus on Mon 1st Apr 2013 13:33 UTC
darknexus
Member since:
2008-07-15

Rather ironic to see a security article posted here at this very minute, when I've been presented with the admin side panel above the right column of news since late last night, for no reason. Apparently I'm "logged in as root" and could do all sorts of things to OSNews and there was no hacking involved. It just came up a few hours back and it's still there now. I've made no attempt to use it, but am I the only one who sees it? It appears on both my Mac and my iPad.
On a side note, please do tell me you guys don't actually use root for your admin username?

Reply Score: 1

RE: Ironic
by zima on Mon 1st Apr 2013 13:35 UTC in reply to "Ironic"
zima Member since:
2005-07-06

You're not the only one who sees it.

Reply Score: 2

RE: Ironic
by Thom_Holwerda on Mon 1st Apr 2013 13:43 UTC in reply to "Ironic"
Thom_Holwerda Member since:
2005-06-29

Check the date.

Reply Score: 9

RE[2]: Ironic
by darknexus on Mon 1st Apr 2013 14:49 UTC in reply to "RE: Ironic"
darknexus Member since:
2008-07-15

Check the date.

Lol Thom, that just occured to me. Funny thing about that though is, it wasn't April first when I saw it so I wasn't on guard against it. Good one! It's been a long time since anyone got me with an april fools joke. ;) I take my hat off to you.

Reply Score: 3

RE[3]: Ironic
by woegjiub on Mon 1st Apr 2013 15:03 UTC in reply to "RE[2]: Ironic"
woegjiub Member since:
2008-11-25

I too was fooled, but to be fair, it is the 2nd here.

The US-centric nature of the English web always catches me unaware.

Reply Score: 2

RE[4]: Ironic
by Thom_Holwerda on Mon 1st Apr 2013 15:05 UTC in reply to "RE[3]: Ironic"
Thom_Holwerda Member since:
2005-06-29

I believe it's GMT-centric, actually.

Reply Score: 3

RE[5]: Ironic
by kristoph on Mon 1st Apr 2013 16:40 UTC in reply to "RE[4]: Ironic"
kristoph Member since:
2006-01-01

It totally got me. I was so disappointed when I couldn't ban Thom (kidding).

Reply Score: 2

RE[5]: Ironic
by woegjiub on Mon 1st Apr 2013 21:17 UTC in reply to "RE[4]: Ironic"
woegjiub Member since:
2008-11-25

OSNews may well be, but most of the English web is still very Americanised with times and spellings.

Not a complaint, just something Commonwealth citizens have to keep remembering.

Reply Score: 2

RE[6]: Ironic
by ricegf on Tue 2nd Apr 2013 09:39 UTC in reply to "RE[5]: Ironic"
ricegf Member since:
2007-04-25

It would be delightful if the Internet led to some consolidation in gratuitous spelling differences and such in English. Possibly because I work on an international program, I find I'm adding a lot of u's (as in colour) without really thinking. Still can't really internalize boot and bonnet, though. *shrugs*

Reply Score: 2

RE[2]: Ironic
by Drumhellar on Mon 1st Apr 2013 15:03 UTC in reply to "RE: Ironic"
Drumhellar Member since:
2005-07-12

I was writing an email to Adam thinking it was a bug when it occurred to me that it was probably an April Fool's joke. I made note of it in the email, and sent it anyways, before I tried one of the links on the side.

It was 8:30pm local time when I noticed it, so it was still kinda early for me to connect it to the date.

Reply Score: 2

RE[2]: Ironic
by sapere aude on Mon 1st Apr 2013 20:55 UTC in reply to "RE: Ironic"
sapere aude Member since:
2006-03-07

BTW, this (the fake control panel) is WAY better than dozens of fake posts. /. is a piece of $*1t today.

Reply Score: 2

RE[3]: Ironic
by Drumhellar on Mon 1st Apr 2013 21:46 UTC in reply to "RE[2]: Ironic"
Drumhellar Member since:
2005-07-12

I don't know... the TRS-80 vs Commodore 64 comparison was pretty cool.

All it needed were screenshots.

Reply Score: 3

RE: Ironic
by Bill Shooter of Bul on Mon 1st Apr 2013 14:13 UTC in reply to "Ironic"
Bill Shooter of Bul Member since:
2006-07-14

You must be new here. I actually set my calendar by the Admin panel appearance.

Reply Score: 8

RE[2]: Ironic
by darknexus on Mon 1st Apr 2013 14:50 UTC in reply to "RE: Ironic"
darknexus Member since:
2008-07-15

You must be new here. I actually set my calendar by the Admin panel appearance.

Not new, but I must not have ever visited around April fools day before.

Reply Score: 2

RE: Ironic
by BallmerKnowsBest on Mon 1st Apr 2013 14:20 UTC in reply to "Ironic"
BallmerKnowsBest Member since:
2008-06-02

Rather ironic to see a security article posted here at this very minute, when I've been presented with the admin side panel above the right column of news since late last night, for no reason. Apparently I'm "logged in as root" and could do all sorts of things to OSNews and there was no hacking involved. It just came up a few hours back and it's still there now. I've made no attempt to use it, but am I the only one who sees it? It appears on both my Mac and my iPad.


And if that weren't crazy enough, I hear that Maddox is having a kid and shutting down his site!

http://thebestpageintheuniverse.net/c.cgi?u=second_chance_af

Reply Score: 3

RE: Ironic
by BluenoseJake on Mon 1st Apr 2013 15:25 UTC in reply to "Ironic"
BluenoseJake Member since:
2005-08-11

It got me last year

Reply Score: 2

it happens to everyone
by kristoph on Mon 1st Apr 2013 16:39 UTC
kristoph
Member since:
2006-01-01

You know last April there was a 0 day flaw in hotmail, last November there was a Gmail security flaw, did you write a 'when will Microsoft/Google get serious about security?' articles. I know you think it's ok to be biased but, really?

Security problems creep up for all companies, it's in a inescapable part of a rapid/agile software development process. The battle between security/stability and progress has been waged and progress won.

Ironically, these days, Microsoft is probably the company that spends the most of security in their consumer software and it's hampering their ability to innovate and it has not eliminated all security issues.

Apple does what everyone else does. They run automated security tests and when those tests don't cover a particular case a security lapse occurs. Although this exploit was 'dead simple' it was also not at all 'obvious' as it was not previously discovered.

Reply Score: 1

RE: it happens to everyone
by BallmerKnowsBest on Mon 1st Apr 2013 18:12 UTC in reply to "it happens to everyone"
BallmerKnowsBest Member since:
2008-06-02

You know last April there was a 0 day flaw in hotmail, last November there was a Gmail security flaw, did you write a 'when will Microsoft/Google get serious about security?'


Fallacy ahoy: false equivalence. Not that your question would make sense anyway, since Thom wasn't the author of this article to begin with.

Of course, the difference is that those were relatively new flaws, while Apple has consistently released products with security vulnerabilities that everyone else learned how to avoid years (if not decades) ago. That, and Microsoft/Google tend to fix those issues quickly, as opposed to Apple's approach of "steadfastly deny that the problem even exists, then maybe get around to fixing it after 2-3 weeks of bad press."

I know you think it's ok to be biased but, really?


Please. Everyone knows that, coming from an iFanboy, "biased" really just means "not sufficiently-biased in favor of Apple." Not that I should be surprised, of course, since that's a standard apologetics tactic: when you can't refute the message, then attack the messenger.

Apple does what everyone else does. They run automated security tests and when those tests don't cover a particular case a security lapse occurs.


More false equivalence. If you think Apple's security is the same as "everyone else", then maybe you should look up the name "Mat Honan":

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacki...

A company with the size and resources of Apple has absolutely NO excuse for regularly releasing products with such basic, serious security failings. And it shouldn't be surprising to anyone: when you have a "technology" company with "form over function" as its guiding philosophy, those types of engineering failures are inevitable.

Although this exploit was 'dead simple' it was also not at all 'obvious' as it was not previously discovered.


Switching gears to the post-hoc fallacy? The fact the flaw wasn't discovered previously doesn't prove anything about its obviousness, it just proves that the flaw wasn't discovered previously (derp).

It's equally possible that the flaw went undiscovered because barely anyone actually uses the service. Actually, that's probably more likely, given the way that Apple's previous attempts at online services/social media were all spectacular failures.

Reply Score: 5

v RE[2]: it happens to everyone
by Tony Swash on Mon 1st Apr 2013 23:01 UTC in reply to "RE: it happens to everyone"
RE[3]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 00:21 UTC in reply to "RE[2]: it happens to everyone"
Alfman Member since:
2011-01-28

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


As for the walled garden, the iphone store moderators are notorious for scrutinizing applications based on morality and banned functionality, but what indication do you have that applications get any attention from a qualified security expert?

It's not like vulnerable iphone applications are unfounded or rare. I'm citing a few examples here, but known IOS app vulnerabilities are not rare. These aren't apple's own vulnerabilities, but it does show that apple's guardians are not doing a great job of vetting app security in the apple store. It would seem apple isn't as good at security as independent security auditors.

http://seclists.org/fulldisclosure/2013/Feb/91
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2012-10/msg0...
http://packetstormsecurity.com/files/120397/VL-864.txt
http://seclists.org/fulldisclosure/2013/Mar/8
http://www.exploit-db.com/exploits/24484/
http://cxsecurity.com/issue/WLB-2013020090

Apple's own IOS software has had it's own history of serious vulnerabilities as well. Some of these flaws are actually what permit us to jailbreak the iphone(s) in the first place.

http://browsers.about.com/b/2007/08/02/iphone-update-fixes-serious-...
http://blogs.mcafee.com/mcafee-labs/iphone-dos-vulnerability
http://securitywatch.pcmag.com/apple/283835-iphone-ipad-jailbreak-w...
http://www.pcworld.com/article/169436/Black_Hat_Reveals_iPhone_SMS_...
http://www.computerweekly.com/news/1280090073/Apple-races-to-fix-iP...
http://theiphonewiki.com/wiki/AT+XAPP_Vulnerability


I'm not a security researcher myself, so I cannot say how IOS stacks up to android or anything. But the OP was onto something when he said it happens to everyone.

Reply Score: 6

RE[4]: it happens to everyone
by Tony Swash on Tue 2nd Apr 2013 11:41 UTC in reply to "RE[3]: it happens to everyone"
Tony Swash Member since:
2009-08-22

Tony Swash,

Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It's a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.


First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play.

I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible.

Clearly with the volume of apps being processed mistakes can and will be made and malware could get through any screening process. However it appears that the number of malware apps getting through the iOS screening process are vanishingly small and are quickly removed on detection.

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets. All too often debates about relative security performance wanders into the theoretical and focusses on the obscure security potential of issues associated with particular pieces of code or particular security arrangements whilst ignoring the real world security performance of different systems and platforms. It's all very well being concerned that security breach 'X' on one platform is in theory worse than security breach 'Y' on another but if it turns out that in the real world security breach 'Y' has been actually used 100,000 times on actual victims and breach 'X' has never been used on any actual victims then I would consider it reasonable to say that security breach 'Y' is a worse security problem.

In the realm of mobile platforms there are independent studies conducted at regular intervals using large data sets that attempt to measure the relative amounts of malware on different mobile platforms. The conclusions of all these studies by different security companies are all broadly the same, which is that mobile malware is overwhelming a problem of the Android OS and is vanishingly small on the iOS platform.

This pdf of the Mobile Threat Report from the F-Secure Labs dated Q4 2012 is representative of the sorts of results you see from many such reports

http://www.f-secure.com/static/doc/labs_global/Research/Mobile%...

As you can see from the report is says that observed malware by platform at the end of 2012 was as follows:

Android 79%
Symbian 19%
iOS 0.7%

The fact that the pattern of many different reports on real world security problems on mobile platforms broadly paints the same picture means, I think, one can have a high confidence that they are broadly accurate in two important conclusions:

Malware on mobile is an Android problem.

Malware on Android is getting worse.

Edited 2013-04-02 11:47 UTC

Reply Score: 1

RE[5]: it happens to everyone
by Thom_Holwerda on Tue 2nd Apr 2013 11:47 UTC in reply to "RE[4]: it happens to everyone"
Thom_Holwerda Member since:
2005-06-29

The quoted study is being misinterpreted all over the web in yet another shining example of modern journalists and bloggers not having a single f--king clue about statistics and numbers.

That "79%" sounds very scary indeed. However, all it means is that 79% of the encountered malware families occurred on Android. That's it. The report has NOTHING, and I repeat, NOTHING, to say about how many Android devices were actually infected by malware. Still, idiots present it as such, which is exactly what F-Secure - an antivirus peddler - knew it would do.

In simpler terms: saying that 79% of flu strains affect humans is completely irrelevant information when you want to know how many humans are affected by flu strains.

If, after all these years, someone still present numbers from antivirus peddlers as-is, you know said someone is either stupid, or has an agenda.

Edited 2013-04-02 11:50 UTC

Reply Score: 4

RE[6]: it happens to everyone
by Tony Swash on Tue 2nd Apr 2013 13:11 UTC in reply to "RE[5]: it happens to everyone"
Tony Swash Member since:
2009-08-22

If, after all these years, someone still present numbers from antivirus peddlers as-is, you know said someone is either stupid, or has an agenda.


Sounds a bit complacent to me. I wonder what your position would have been if it was reported that 79% of malware was found on iOS? Less complacent I suspect.

A report from www.mobilesandbox.org, a site that collects information about malware on Android found that out of the 300,000 new Android apps on Android stores in 2012 it found 43,000 malicious apps in 115 different malware families. Most of the fake apps were downloaded from Russian and Asian third-party app stores, but 13 malware families were also found on the official Google Play Store. It's possible to assume that very few people are downloading those apps and hence that the actual rate of malware infections is very low, but I would like to understand the reasons for assuming such a thing and the evidential basis supporting such reasoning.

According to a recent report from the security firm Kaspersky, 99 percent of all new malware attacked the Android platform last year. That was a continuation of the trend from 2011, which registered an explosive growth in Android malware.

During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to a whopping 6,300 programs.

"Android is the world's most widely used smartphone operating system, so it is not surprising that it is also the hacker's favorite goal. But it has probably surprised many people, including myself, that it's as much as 99 percent", security expert Kevin Freij from MYMobileSecurity said.

Again one could assume that all those malware programs on Android are failing to actually infect any end user, even though the writers of Android malware seem to be increasing their efforts hence the explosive growth, but again I would like to understand the reasons for assuming such a thing and the evidential basis supporting such reasoning.

It's perfectly fine to argue that it is better for various reasons if one does not lock the door to ones house but it is mendacious to suggest that leaving ones door unlocked is as secure as locking it.

Reply Score: 1

RE[7]: it happens to everyone
by Thom_Holwerda on Tue 2nd Apr 2013 13:25 UTC in reply to "RE[6]: it happens to everyone"
Thom_Holwerda Member since:
2005-06-29

Antivirus companies have a product to sell. So, they make it appear as if Android - the most popular mobile platform by a huge and wide margin - is insecure. A few years ago, they tried the same tactic for iOS, and failed, Interestingly enough, Apple fanatics - rightfully so - attacked antivirus companies because of that. Now, you don't. Curious.

I have another explanation for there being more different variants of malware for Android: there are more versions and variants of Android, so malware needs to be adapted to each. End result: more malware families.

Until we actually see numbers about how many Android devices are infected, from an independent source, i'm not going to believe antivirus companies, who have a long history of lies, deceit, and other forms of despicable scummy behaviour.

Sounds a bit complacent to me. I wonder what your position would have been if it was reported that 79% of malware was found on iOS? Less complacent I suspect.


Your selective perception to solve your cognitive dissonance at work again, I see! Predictable.

Consider, for instance, my reporting on the Flashback trojan:

http://www.osnews.com/story/25776/Reports_Flashback_trojan_has_infe...

Just a single antivirus company making such claims is not something that piques my interest. Antivirus companies tend to be pretty sleazy, and they like nothing more than making a threat look bigger than it really is because, hey, what do you know, their antivirus product stops this particular super-dangerous cat-killing virustrojanmalwarething.

[...]

Now, we're looking at data from security firms, so I'm still a little bit sceptical. However, I'm risking the "You're anti-Apple!!1!!!"-crap because it's looking more and more like this is an actual serious issue. Do with it as you please.


Huh. It would appear you blocked this one out to solve your state of cognitive dissonance. I've got another one for you:

http://www.osnews.com/story/24475/Supposed_Mac_OS_X_Trojan_Another_...

Headline: "Supposed Mac OS X Trojan Another Piece of Linkbait"

All in all, these stories are linkbait - plain and simple. Security companies are a lot like politicians - they spread fear (terrorism, computer viruses) because they've got something to sell (laws that further impede your rights so they can maintain their own power, security software). Like politicians, security companies are not tobe trusted, and are probably the worst scum in the software industry.


So, there you have it. The quoted claim from you is a lie. Will you apologise for spreading said lies? I highly doubt it.

Edited 2013-04-02 13:27 UTC

Reply Score: 3

RE[7]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 16:16 UTC in reply to "RE[6]: it happens to everyone"
Alfman Member since:
2011-01-28

Tony Swash,

Just a small personal request, but can you please cite the links to the sources of information when you are posting stats? It helps others take a quick look without having to dig up what you're talking about, thanks.

Reply Score: 2

RE[5]: it happens to everyone
by JAlexoid on Tue 2nd Apr 2013 14:31 UTC in reply to "RE[4]: it happens to everyone"
JAlexoid Member since:
2009-05-19

Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets.


Yes. Security breaches and exploits. Of which Android has suffered no more or less than iOS.(Even if you include such blunders as full RAM access by Samsung)

But obviously, you will count user negligence as a security breach or exploit against your opponents when it suites you. You know, discounting social engineering that results in hundreds of dollars lost via IAP on iOS. Because user negligence is not the same as social engineering, when it comes to Apple...

The fact is - malware on Android is a regional and very localized problem. Much more so than even Windows. Google can't and shouldn't solve it. At most they can do malware scanning in the Play Store.

And the fact that F-Secure didn't state the level of threat coming from Play Store tells us that Google is doing a damn good job. Otherwise the title of that report would have been "Google Play Store is infested with malware - run for your lives!!! or buy our product..."

Reply Score: 3

RE[5]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 15:55 UTC in reply to "RE[4]: it happens to everyone"
Alfman Member since:
2011-01-28

Tony Swash,

"First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play."

I asked about "IOS as an operating system" specifically because I wanted to know whether there is anything IOS is really doing better with regards to security. I'm going to interpret the evasive response as a "no, there are no technical security advantages within IOS itself". Please correct me with specifics if this is wrong, but spare me the fanboy spin.



"I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible"

Of course I think security screening can help catch malware, but I'm not even sure there's much of that going on in apple's store. Consider that even if the Q/A process has no security checks whatsoever, merely testing whether the application does what it advertises can significantly raise the barrier for malware authors who don't want to write fully functional applications as part of their malware scheme. Do you know for a fact (with credible sources) that apps in apple's store undergo any security checks at all?


"Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets."


That's true in principal, but all too often someone ends up comparing apples and oranges, especially when one party is transparent about disclosing information and the other party is actively covering it up. Open source systems often set a very high bar for full disclosure (every single breach is public information). When other platforms aren't as forthcoming it can easily paint a false picture. I don't know how to solve this asymmetric disclosure conundrum or even how to measure the extent of the problem.


"Malware on mobile is an Android problem."

There's no doubt many malware authors are targeting the android store because of it's lenient store policies. If android tightened up it's store, more malware authors would probably spread their efforts elsewhere.

"Malware on Android is getting worse."

How do you know that?


I've said this before, but my opinion is that the best approach to app stores (for both google and apple) would be to have one repository for certified / well tested apps, and another more inclusive repository for "use at your own risk" apps. This would appease both types of crowds and give consumers the benefit of making up their own minds how to use their own devices: either within the confine's of the walled garden, or allowed to explore the forest beyond.

Edited 2013-04-02 16:03 UTC

Reply Score: 2

RE[2]: it happens to everyone
by kristoph on Mon 1st Apr 2013 23:18 UTC in reply to "RE: it happens to everyone"
kristoph Member since:
2006-01-01

Please read again what you wrote and give it some thought. You disputed my points with absolutely no tangible support at all. You simply said they were 'false'. You reference an article that is totally unrelated to technology - which is what I was speaking about - and was a pure social engineering hack. You discounted my opinion because you claim I was a 'fanboi'.

It's weak dude. If you have a solid argument then make it, demonstrate it with facts, without insults and name calling. Your arguments will carry much more weight and people - even those that disagree with you - would give you much more respect.

I'll add that I made a point of saying that it was Microsoft who places the greatest emphasis on security and I absolutely think Google Chrome as a browser has the best security out there and gmail makes the most effort to eliminate phishing scams.

On the other hand Mac OS X has a much lowest malware infection rate (and the gap has increased now that, by default, you can't install unsigned apps) then Windows and iOS has virtually no Malware while Android is riddled with it. I understand this is because Apple simply locks down it's platforms (which many think is a bad thing) but if you bother to read what CIO's are saying their much more comfortable with Apple's security then any other for desktop/mobile use.

Anyhow I am not here to apologize for anyone, I simply think that Thom is pushing his agenda (and he has made it clear on a number of occasions he has a 'bias') and I think that's sort of lame. We don't need to bash one another to have an intelligent discussion on the merits of one platform or another. The pre-Thom OSNews was much more egalitarian, and much more respectful, and I think it sucks that that's changed.

Reply Score: 2

RE[3]: it happens to everyone
by moondevil on Tue 2nd Apr 2013 11:09 UTC in reply to "RE[2]: it happens to everyone"
moondevil Member since:
2005-07-08

On the other hand Mac OS X has a much lowest malware infection rate (and the gap has increased now that, by default, you can't install unsigned apps) then Windows and iOS has virtually no Malware while Android is riddled with it. I understand this is because Apple simply locks down it's platforms (which many think is a bad thing) but if you bother to read what CIO's are saying their much more comfortable with Apple's security then any other for desktop/mobile use.


Except, exactly like on the Windows 9X -> XP transition, many users disable this security mechanisms, because they see it as something that gets in the way.

Reply Score: 1

RE[3]: it happens to everyone
by JAlexoid on Tue 2nd Apr 2013 14:40 UTC in reply to "RE[2]: it happens to everyone"
JAlexoid Member since:
2009-05-19

On the other hand Mac OS X has a much lowest malware infection rate (and the gap has increased now that, by default, you can't install unsigned apps) then Windows and iOS has virtually no Malware while Android is riddled with it. I understand this is because Apple simply locks down it's platforms (which many think is a bad thing) but if you bother to read what CIO's are saying their much more comfortable with Apple's security then any other for desktop/mobile use.


Yes, I do know what a lot of CIOs think. Since I happen to work with a lot of them directly. Apple's security on the desktop is no more a concern as it is on Windows. CIOs are aware what and how, most of them are not stupid individuals and know where the problems lie.
Same goes for Android vs iOS, it's more an issue of MDM tool support than anything else... And even then none of the CIOs that have MDM solutions in place or have researched them are against either of the platforms.

Reply Score: 2

RE: it happens to everyone
by Soulbender on Tue 2nd Apr 2013 02:32 UTC in reply to "it happens to everyone"
Soulbender Member since:
2005-08-18

it's in a inescapable part of a rapid/agile software development process.


If security flaws are an "inescapable part" of your development process then your process is fundamentally flawed.

They run automated security tests and when those tests don't cover a particular case a security lapse occurs.


If the software was properly engineered that wouldn't automatically happen.

Although this exploit was 'dead simple' it was also not at all 'obvious' as it was not previously discovered.


The fact that it wasn't discovered before doesn't mean it's not obvious.

Reply Score: 3

RE[2]: it happens to everyone
by Nelson on Tue 2nd Apr 2013 03:49 UTC in reply to "RE: it happens to everyone"
Nelson Member since:
2005-11-29


If security flaws are an "inescapable part" of your development process then your process is fundamentally flawed.


I don't think so, it comes with the territory -- people make mistakes. Though I disagree with the OP's argument that agile is more prone to security flaws.

Its also worth noting that Apple's particular flaws, while still flaws and while they are still just a normal part of the process, are especially basic. Security is a mindset that's built into the culture of a company. If Apple is making these kind of mistakes, there's something wrong there.

Reply Score: 2

RE[3]: it happens to everyone
by Soulbender on Tue 2nd Apr 2013 04:05 UTC in reply to "RE[2]: it happens to everyone"
Soulbender Member since:
2005-08-18

I don't think so, it comes with the territory -- people make mistakes.


Of course, that's unavoidable but the argument was that security issues was inherent to the process Apple use to develop software. If that's the case the process is flawed.

Reply Score: 2

RE[2]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 03:54 UTC in reply to "RE: it happens to everyone"
Alfman Member since:
2011-01-28

Soulbender,

"If security flaws are an 'inescapable part' of your development process then your process is fundamentally flawed."

I agree with you, it's shameful that there are developers who regularly produce security holes in software. But at the same time it's sort of a biproduct of the fast and cheap development process that companies are seeking. My experience with most companies is that "security" is little more than a PR selling point and not a genuine development philosophy.


"If the software was properly engineered that wouldn't automatically happen."

I think the OP was merely explaining the situation on the ground rather than trying to justify it. If so, I think he's right. It'd be nice if things were engineered correctly in the first place, but security is rarely a priority in development and usually only gets tackled in hindsight. I agree with you it's the wrong way to do it.

Reply Score: 3

RE[3]: it happens to everyone
by Brendan on Tue 2nd Apr 2013 05:07 UTC in reply to "RE[2]: it happens to everyone"
Brendan Member since:
2005-11-16

Hi,

I think the OP was merely explaining the situation on the ground rather than trying to justify it. If so, I think he's right. It'd be nice if things were engineered correctly in the first place, but security is rarely a priority in development and usually only gets tackled in hindsight. I agree with you it's the wrong way to do it.


A company's only goal is profit - their products are just a by-product of that. If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the "wrong" way to do it.

- Brendan

Reply Score: 3

RE[4]: it happens to everyone
by Alfman on Tue 2nd Apr 2013 06:36 UTC in reply to "RE[3]: it happens to everyone"
Alfman Member since:
2011-01-28

Brendan,

"A company's only goal is profit - their products are just a by-product of that. If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the 'wrong' way to do it."

That's all true, and it wouldn't be a big deal if the company were only putting it's own data at risk. Unfortunately the victim of these poor security measures is often not the company but rather it's customers. Companies should have a responsibility to protect customer data. When a company takes private data and says it will keep it private, it's borderline fraud when they take shortcuts and fail to implement good security practices.

I realize my security demands are futile in modern business where nothing is worth doing right if it can be done wrong for cheaper. But frankly sanitizing input should automatically be standard practice for all developers on all user facing projects without needing to be justified on a balance sheet, sheesh.

I miss the old maxim: If it's worth doing, it's worth doing right.

Reply Score: 3

RE[4]: it happens to everyone
by ricegf on Tue 2nd Apr 2013 09:47 UTC in reply to "RE[3]: it happens to everyone"
ricegf Member since:
2007-04-25

Not all companies set profit as their only goal.

Reply Score: 4

RE[4]: it happens to everyone
by Soulbender on Tue 2nd Apr 2013 11:32 UTC in reply to "RE[3]: it happens to everyone"
Soulbender Member since:
2005-08-18

A company's only goal is profit


That's not universally true and I doubt it's even true for most companies.

If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the "wrong" way to do it.


No, it's still the wrong way to engineer things. Correct engineering is not a function of profit goals.

Reply Score: 3

Ongoing improvements
by bowkota on Mon 1st Apr 2013 16:43 UTC
bowkota
Member since:
2011-10-12

The article makes some good points but it's also completely flawed.
I think they were writing this for some time, then Apple introduced the improved authentication system (albeit only in a few countries) and kind of screwed it up for them.

Apple does indeed need to improve more on security.
However, they've not been idle. Gatekeeper (great for non-tech savvy people) and sandboxing on the mac. They're certainly working on it.

As for iOS, well go check out malmware on Google playstore and then come back. And I'm not even mentioning the countless numerous security flaws which don't get patched up on Android because it takes months (if ever) to get an update.

MS is doing a much better job.

PS: what's up with the layout. Lot's of useless images, uneven formatting, not what we're used to seeing from the Verge; looks like a rushed job.

Reply Score: 1

RE: Ongoing improvements
by BallmerKnowsBest on Mon 1st Apr 2013 18:12 UTC in reply to "Ongoing improvements"
BallmerKnowsBest Member since:
2008-06-02

The article makes some good points but it's also completely flawed.


Don't worry, I'm sure no one here expected you have a different take on it.

As for iOS, well go check out malmware on Google playstore and then come back.


And? Hate to break it to you, but "malmware" [sic] still makes it into the app store, despite the supposed infallibility of Apple's approval process. So compared to Android, iOS has severely limited functionality - and all you get for that tradeoff is a false sense of security. Now THERE's a value proposition!

And even that requires giving Apple the benefit of the doubt, taking Apple at their word that the app store approval process is primarily intended to protect end users... As opposed to just protecting Apple from competition and anything else they deem undesirable.

And I'm not even mentioning the countless numerous security flaws which don't get patched up on Android because it takes months (if ever) to get an update.


So... your point is that OS updates are more difficult with a diverse platform like Android, compared to a single-vendor monoculture like iOS? Stop the presses!

Reply Score: 3

RE[2]: Ongoing improvements
by Nelson on Tue 2nd Apr 2013 03:55 UTC in reply to "RE: Ongoing improvements"
Nelson Member since:
2005-11-29


And? Hate to break it to you, but "malmware" [sic] still makes it into the app store, despite the supposed infallibility of Apple's approval process. So compared to Android, iOS has severely limited functionality - and all you get for that tradeoff is a false sense of security. Now THERE's a value proposition!


Sure, it gets in everywhere, but I don't think you can deny that Android has a significantly bigger malware problem than the other platforms.

I'm unsure how Apple gives you a false sense of security, because I wasn't aware that this was related to the specific type of security issues that curated app stores mitigate.



So... your point is that OS updates are more difficult with a diverse platform like Android, compared to a single-vendor monoculture like iOS? Stop the presses!


No one cares about the excuse, only what actually is. The current case is that Android devices are sometimes shut out from critical security patches over carrier politics.

Reply Score: 3

RE: Ongoing improvements
by moondevil on Tue 2nd Apr 2013 11:14 UTC in reply to "Ongoing improvements"
moondevil Member since:
2005-07-08

The Windows NT family of operating systems is also quite secure since the early days.

Windows problems on those systems were not the security mechanisms not being available, but rather developers and users turning them off by running as Administrator all the time.

Many Mac OS X non technical users seem to be doing the same nowadays.

Reply Score: 3

RE: Ongoing improvements
by JAlexoid on Tue 2nd Apr 2013 14:46 UTC in reply to "Ongoing improvements"
JAlexoid Member since:
2009-05-19

As for iOS, well go check out malmware on Google playstore and then come back. And I'm not even mentioning the countless numerous security flaws which don't get patched up on Android because it takes months (if ever) to get an update.


I did, since you didn't. And malware is a non-issue on the Play Store.(I mean password stealing, premium SMS sending and security controls overcoming apps.)

Reply Score: 2

Alfman
Member since:
2011-01-28

Here's the real irony: osnews.com is vulnerable to the same thing!


I have an external link that exploits an osnews web vulnerability to reset the password of a logged in user to "hacked".

Works under firefox, not ie since I didn't bother...even malware authors have to struggle around incompatibilities ;)

I'll be a nice guy and email Thom a link in private so they can confirm it and fix it ;)

Reply Score: 2

Alfman Member since:
2011-01-28

Thom,


It occurs to me that it would have been nicer still to not say anything at all in public, but I couldn't resist exposing the irony. I hope we can all have a good laugh ;)

Reply Score: 2

galvanash Member since:
2006-01-25

Now that you point it out there is an obvious security issue on the account preferences page. There is a reason most such system require the user to re-enter their existing password in order to change it...

That said, osnews.com is not Apple - I think it is fair to hold them to a slightly higher standard.

Reply Score: 2

Alfman Member since:
2011-01-28

galvanash,


"Now that you point it out there is an obvious security issue on the account preferences page. There is a reason most such system require the user to re-enter their existing password in order to change it..."

Yea, there are vulnerabilities on several pages, which you can probably find if you poke around with an eye for them. I'd like to discuss them because they're common web problems, but so far they haven't responded and I feel guilty pointing them out before they're fixed. It's probably unlikely anyone will fix them before this article times out.


"That said, osnews.com is not Apple - I think it is fair to hold them to a slightly higher standard."


Haha, I've read this sentence several times now and it's not semantically clear at all which one you are holding to a higher standard ;)

Edit: Often companies are lazy at fixing both known and unknown vulnerabilities until the exploits for them are in the wild. This is probably why many security researches end up being frustrated with "proper channels" and publish their exploits, which forces companies to promptly fix their stuff. What are osnews reader's opinions on the morality of public disclosure of security vulnerabilities?

Edited 2013-04-02 01:40 UTC

Reply Score: 3

galvanash Member since:
2006-01-25

"That said, osnews.com is not Apple - I think it is fair to hold them to a slightly higher standard."


Haha, I've read this sentence several times now and it's not semantically clear at all which one you are holding to a higher standard ;)


I meant that it seems fair to me to hold Apple to a higher standard, but point taken - I did word that poorly.

What are osnews reader's opinions on the morality of public disclosure of security vulnerabilities?


I think in this case public disclosure is more than fair - the problem is so obvious it is in fact announcing itself...

ps. If you really want to get Thom's attention send him a link to the exploit in an email... Just tell him what you are going to change his password to first ;)

Edited 2013-04-02 02:34 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

galvanash,

"ps. If you really want to get Thom's attention send him a link to the exploit in an email... Just tell him what you are going to change his password to"

That's actually what I did. The exploit I used was a bit more sophisticated than redirected form submission - it takes over control of the user session in an iframe (which is the reason it was browser dependent) and passes control to another server.


This year one of my clients was attacked with one of the most sophisticated PHP attacks I had seen to date. Malicious code was uploaded on one website through an image upload form, propagated to another website through background mirroring jobs, and exploited on that second website. The code was self obfuscating and ultimately extracted and installed a PHP trojan which was used to conduct an attack on another third party server (who accused us of hacking them).

Reply Score: 2

Alfman Member since:
2011-01-28

Thom,
This is still not fixed, and I haven't even heard a peep from you or David in email or here. It was no april first joke, the accounts of osnews users are absolutely vulnerable.

Reply Score: 2