Linked by Hadrien Grasland on Sat 25th Jun 2011 08:55 UTC, submitted by John
Mac OS X "Using a Mac may certainly be a safer choice for a lot of people as despite being vulnerable they are not targeted. However this is not the same as Macs being secure, something Eric Schmidt erroneously advised recently. I may be able to browse impervious to malware on a Mac at the moment, however I personally would not be comfortable using a platform so easily compromised if someone had the motivation to do so. In this article I address just why OS X is so insecure including the technical shortcomings of OS X as well as Apples policies as a company that contribute to the situation."
Thread beginning with comment 478612
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Just another article
by jack_perry on Sun 26th Jun 2011 00:13 UTC in reply to "RE[3]: Just another article"
jack_perry
Member since:
2005-07-06

By only letting applications access their own folder and files explicitly pointed out by the user.

I don't see how this is a solution. A trojan that can convince a user to install it, can also convince a user to grant it access to all files in a Documents directory. Never mind the hassle to the user who's trying to run serious programs.

Reply Parent Score: 2

RE[5]: Just another article
by Alfman on Sun 26th Jun 2011 04:58 in reply to "RE[4]: Just another article"
Alfman Member since:
2011-01-28

Neolander,
"By only letting applications access their own folder and files explicitly pointed out by the user."

jack_perry,
"I don't see how this is a solution. A trojan that can convince a user to install it, can also convince a user to grant it access to all files in a Documents directory. Never mind the hassle to the user who's trying to run serious programs."

Imagine a new OS which doesn't have to inherit legacy software. A user can download, install, and run any application in a sandbox by default. The sandbox could access files opened explicitly through drag and drop or an open dialog box, as well as files created itself.

By far an large, legitimate applications (games/editors) will be able to run in the sandbox without any privilege escalation.

If an app turns out to be malicious, it's damage would be very limited in scope because of the sandbox.

If a game is downloaded from P2P network and requests higher privileges (let's say to access email), one could be fairly confident that it is malware.

Reply Parent Score: 3

RE[6]: Just another article
by jack_perry on Sun 26th Jun 2011 20:43 in reply to "RE[5]: Just another article"
jack_perry Member since:
2005-07-06

Okay, it might not be that much of a hassle (though I'm not convinced). None of this addresses the main point of my argument.

We're talking about trojans, right? somehow a user is convinced to install a trojan, perhaps because (s)he's visiting the seedier side of the web. (Torrents, of course. What'd you think I meant?)

Now, the trojan is called "MacDefender" and promises to defend you against viruses both old and yet unwritten (through new, amazing technology developed by researchers so recently that the mainstream OS makers haven't yet implemented it). But, to do that, it needs access to all your files -- your Documents directory, say.

Of course, it could ask for more, but I'm working under the desired outcome, which is to access only the Documents directory. I don't see how any OS defends against this, and Neolander's proposed solution won't do it. Remember that part of the hypothesis is that we're dealing with a user dumb enough to install a virus program from a seedy web site in the first place!

So, how do non-Mac OS's defend against this? I'm still waiting for a solution, not for a defense of how a non-solution isn't that inconvenient.

Edited 2011-06-26 20:44 UTC

Reply Parent Score: 2

RE[5]: Just another article
by Neolander on Sun 26th Jun 2011 05:35 in reply to "RE[4]: Just another article"
Neolander Member since:
2010-03-08

I don't see how this is a solution. A trojan that can convince a user to install it, can also convince a user to grant it access to all files in a Documents directory. Never mind the hassle to the user who's trying to run serious programs.

I think you'd be surprised by how much desktop applications would be fine with no more access to your home or document folder than its own files and the files which you explicitly direct it to (through a system open file dialog, drag and drop or a CLI parameter). Most software is not dangerous by its very nature.

About six months ago, while I was using Windows as my primary OS, I've done the following exercise : opening the "Add and remove software" dialog of my Windows install, and finding out what security permissions each entry would need, given a redesign for a sandboxed OS. As it turns out, few entries actually needed disk access to more than their private folder and user-picked files at a conceptual level. These were...
-Adobe Flash Player, because it copies itself in web browsers' private folders (and as such alters your web browsing experience).
-AVG 2011, because current antivirus want to take over your entire system in the same way as malware.
-System updates.
-Driver software for my phone.

Would you agree that all of these are sufficiently dangerous to reasonably require a security warning and a double check that they come from a reliable source ?

Now imagine that the huge majority of applications which do not require a warning get installed very quickly, without hassle. Only when you install a truly dangerous piece of software do you get a warning. This way, you get a much improved user experience for everyday use and a much stronger user awareness and cooperation when some installation actually involves dangerous software. Add up a security warning dialog that is actually informative (unlike Windows UAC and its OSX equivalent), as permitted by the sandboxed model, and you get much stronger security than what we have now.

Edited 2011-06-26 05:55 UTC

Reply Parent Score: 2

RE[6]: Just another article
by Alfman on Sun 26th Jun 2011 07:49 in reply to "RE[5]: Just another article"
Alfman Member since:
2011-01-28

Neolander,

Those things would be practically free (given the ability to sandbox an app in the first place). So it makes so little sense that we're not doing those things today. They're obvious improvements to typical security models in use today.

Operating systems also need to do a better job of managing fine grained access.

On one system after an upgrade, I was troubleshooting a mysql issue. It would fail for no apparent reason - it indicated a file didn't exist, but it did and was owned by mysql. I ran strace against mysql, and to my surprise linux was reporting that the file didn't exist. I was extremely frustrated and straced mysql as root, which worked fine. Long story short, unbeknown to me, ubuntu's "apparmor" package made the file inaccessible to mysql. I admit inexperience with apparmor, however the level of grief caused by it was totally unacceptable. A normal user might have given up and run mysql as root.

I know there's a delicate balance to be reached somewhere, but the simple rules described by Neolander would go a long way to improving usability and security.

Reply Parent Score: 3