Linked by Thom Holwerda on Fri 20th Mar 2009 13:51 UTC, submitted by google_ninja
Privacy, Security, Encryption Fresh from winning the PWN2OWN contest yesterday, Charlie Miller has been interviewed by ZDNet. He talks about how Mac OS X is a very simple operating system to exploit due to the lack of any form of anti-exploit features. He also explains that the underlying operating system is much more important in creating a successful exploit than the bowser, why Chrome is so hard to hack, and many other things.
Thread beginning with comment 354119
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Operating System Security
by MikeekiM on Fri 20th Mar 2009 14:26 UTC in reply to "Operating System Security"
MikeekiM
Member since:
2005-11-16

axe to grind with Apple? Did they refuse to give he a free laptop or something?

BSD had these security features first.
BSD is the most secure OS.
Apple, in the real world, still is the most secure desktop.

Reply Parent Score: -3

Isolationist Member since:
2006-05-28

axe to grind with Apple? Did they refuse to give he a free laptop or something?

BSD had these security features first.
BSD is the most secure OS.
Apple, in the real world, still is the most secure desktop.



On what grounds is BSD the most secure OS, and more to the point Apple???

Reply Parent Score: 5

jayson.knight Member since:
2005-07-06

axe to grind with Apple? Did they refuse to give he a free laptop or something? BSD had these security features first. BSD is the most secure OS. Apple, in the real world, still is the most secure desktop.


Unbelievable. Here is an interview with a guy who is most definitely a better programmer than pretty much anyone on OSNews, who has been doing this longer than any of us. In this interview he says "OSX is unsecure, there are almost no hurdles to jump through to take control of a system" and you say that Apple has the most secure desktop. Are you really that delusional?

At least the Windows folks can admit that it's got security issues. Apple fanboys are a rare breed, and for them to make claims like the one above is just flat out ignorance.

Reply Parent Score: 15

TBPrince Member since:
2005-07-06

Unbelievable. Here is an interview with a guy who is most definitely a better programmer than pretty much anyone on OSNews, who has been doing this longer than any of us. In this interview he says "OSX is unsecure, there are almost no hurdles to jump through to take control of a system" and you say that Apple has the most secure desktop. Are you really that delusional? At least the Windows folks can admit that it's got security issues. Apple fanboys are a rare breed, and for them to make claims like the one above is just flat out ignorance.


With all the money they pour to buy that overpriced hardware stuff, it HAS to be the most secure ;-) Mind you that they are all excited about iPhone 3.0 OS in order to get those two advanced and innovatite features:

* cut&paste;
* sending MMS out.

lol

ops! Sorry... I know it will sound trollish and I bed your (preventive) pardon ;-)

Reply Parent Score: 6

Adam S Member since:
2005-04-01

"OSX is unsecure, there are almost no hurdles to jump through to take control of a system"


Actually, he didn't say "take control." He said exploit. And really that's the issue: if the exploit is just that it can read a given site's cookie, or that it can write a non-executable file or something, that's not nearly as serious.

Reply Parent Score: 1

RE[2]: Operating System Security
by rajj on Fri 20th Mar 2009 17:22 in reply to "RE: Operating System Security"
rajj Member since:
2005-07-06

The BSD's, and OpenBSD in particular, have had very few remotely exploitable bugs in a default install. IIRC, OpenBSD has only had two in over ten years now.

Reply Parent Score: 1

sakeniwefu Member since:
2008-02-26

The BSD's, and OpenBSD in particular, have had very few remotely exploitable bugs in a default install.


OpenBSD has a lot of measures no other OS uses or has started to use only recently(eg. ASLR in Win and Linux) which make the very few bugs very difficult(as in almost impossible) to exploit.

As the interviewee makes clear, it is this sort of thing, ASLR, sandboxes, stack canaries, etc. that make an attacker's life difficult.

*BSD and MacOS X have been disregarding those features because they negatively affect performance, and now they are reaping the fruits of shame.

Bugs might be a lot or a handful, but if you do nothing to keep the attackers' from playing around with your unpatched bugs, the game is over for you.

Reply Parent Score: 6

MobyTurbo Member since:
2005-07-08

OpenBSD had those security features first, but OS X has relatively few of them; Unix does not have the same level of security for all it's variants, and in fact, other than the fact that you don't run as root most of the time, Unix is not all that secure an operating system unless the flavor adds additional security features and run secure programs. (Note how many remote root security bugs there were in sendmail(1) for example, running on the typical non-OpenBSD *BSD.) Oh well, at least Safari isn't in the kernel and used throughout the OS by programs via DLLs like Internet Explorer, if it was, OS X would *really* be in trouble.

Reply Parent Score: 0

kaiwai Member since:
2005-07-06

OpenBSD had those security features first, but OS X has relatively few of them; Unix does not have the same level of security for all it's variants, and in fact, other than the fact that you don't run as root most of the time, Unix is not all that secure an operating system unless the flavor adds additional security features and run secure programs. (Note how many remote root security bugs there were in sendmail(1) for example, running on the typical non-OpenBSD *BSD.) Oh well, at least Safari isn't in the kernel and used throughout the OS by programs via DLLs like Internet Explorer, if it was, OS X would *really* be in trouble.


I get the point of your post but there is no use resorting to lying by claiming that Internet Explorer is in the kernel.

As for UNIX - what is UNIX? its a specification; there is nothing stopping any vendor from adding additional features in the case of security such as ASLR, encrypted swap, Sandboxes, etc. etc. To some how throw all 'UNIX' under one banner is ignorant of the fact that there is no such thing as a UNIX operating system - there are just implementations of it.

Edited 2009-03-21 00:26 UTC

Reply Parent Score: 1

siride Member since:
2006-01-02

IE was never in the kernel. I don't know where people get this kind of stuff from.

Reply Parent Score: 4