Linked by Thom Holwerda on Wed 12th Sep 2018 00:00 UTC
Mac OS X

Back in 2016, security researcher and developer Jonathan Zdziarski released a tool called Little Flocker that could protect Macs at the file level. Much as a firewall analyzes and blocks network traffic, Little Flocker locked down the file system and allowed only authorized applications access to only approved files.

Little Flocker was too complex to manage for average users, but it quickly became a darling among Mac security experts.

[...]

When Zdziarski took a job at Apple in 2017, he sold Little Flocker to the security vendor F-Secure, which released it as Xfence. Zdziarski's job change started the clock ticking on when we might see similar capabilities built into macOS. With macOS 10.14 Mojave, Apple has added file-level protections, plus some additional security enhancements. And you know what? Mojave is running into the same usability issues that users of Little Flocker endured.

I had never heard of this functionality. It seems like one of those things particularly Apple ought to be good at to integrate in a user-friendly manner.

E-mail Print r 3   3 Comment(s)
Thread beginning with comment 662271
To read all comments associated with this story, please click here.
Comment by Drumhellar
by Drumhellar on Wed 12th Sep 2018 20:27 UTC
Drumhellar
Member since:
2005-07-12

It seems like one of those things particularly Apple ought to be good at to integrate in a user-friendly manner.


I doubt it. Whatever your security model is, it basically exists on a line:

One the left side is effectiveness, and the right side is convenience. Any security model exists on that line somewhere. The more convenient, the less effective, and vice-versa.

Creating an effective security model that is also convenient, I think, is something that simply wont happen. I think the two qualities are mutually exclusive.

Reply Score: 3

RE: Comment by Drumhellar
by ssokolow on Thu 13th Sep 2018 01:59 in reply to "Comment by Drumhellar"
ssokolow Member since:
2010-01-21

I doubt it. Whatever your security model is, it basically exists on a line:

One the left side is effectiveness, and the right side is convenience. Any security model exists on that line somewhere. The more convenient, the less effective, and vice-versa.

Creating an effective security model that is also convenient, I think, is something that simply wont happen. I think the two qualities are mutually exclusive.


There's a difference between a general rule like that and special cases.

For example, a game can be pretty effective without access to the filesystem outside its little sandbox and an office suite can be pretty effective if you add something like Android Intents or Flatpak Portals to offload the file picker to trusted code.

Just generally applying the rule could lead you to the conclusions that Windows is less effective for end users than DOS because applications can't do raw hardware manipulation.

Conversely, it's a lot more involved and inconvenient to retrofit protections onto a DOS application which wasn't designed with them in mind.

Edited 2018-09-13 02:02 UTC

Reply Parent Score: 1