As much as I like Apple and OSX, I see some of the same kinds of mistakes Next/NeXT made with NextStep, being made with OSX.
(I used to sell Next software for about 6 months and got to use a NextStation every day. Very cool - later at another company I got to speak with the GUI designer Keith Ohlfs and personally thank him for the best copmuter experience I ever had.)
For instance, NextStep's POSIX interface was broken and thus, Next was not able to compete against the then-very-inferior SunOS in government contracts (because POSIX compliance was a requirement).
Instead, Next did win in CIA/NSA and other exempt contracts where the solution was considered to be "custom" and thus didn't have to follow the standards.
It probably would have taken a competent Next programmer a few weeks to fix the POSIX layer - but since POSIX was viewed as "dumb" it was never made a priority.
Apple is letting some of the boring stuff slip - which is a danger sign. Programmers at Apple can't all be programming the cool CoverFlow stuff and ignoring the "guts".
When Apple first released a developer preview of OS X back in 98/99 (IIRC) I actually emailed Jobs about using OpenSSH in the new OS (there was a lot of controversy about the munitions export act in the USA, and I was involved in the OpenSSH project - he said that they would be distributing OpenSSH, which was a big win at the time - anyway I digress), I also asked about POSIX compliance.
He said in his reply (and I wish I could find it) that POSIX compliance was a big deal for OS X, and part of the reason why so much of the FreeBSD userland was being used (I was also involved in some parts of FreeBSD at the time - there was a whole initiative around making it fully Posix compliant, way before any other free UNIX).
I knew some of the history with Next and POSIX, your comment tied the story together for me. It does show that Jobs learned his lesson when he went back to Apple.
Now more on the topic at hand. Apple need to handle security issues better. Not just in terms of disclosure but in response times and communication with the industry. You don't see many/any Apple reps at the major conferences, and no engagement at all. It was always generally known within the industry that Apple owed much of its OS X security to the fact that it just wasn't a big target. The commercial UNIX releases and Linux were targetted because they ran the worlds servers, and Windows was targeted because it was the worlds desktop. Now with OS X gaining market share they are getting more attention from sec experts and hackers.
Microsoft reformed their security policies back in 2000, after IIS 4 had a horrible run and the code red worm ran wild. Many top security and secure coding experts went to work at Microsoft at the time - it was a major shift (implementing security checks in every step of the dev process across the whole company). Apple have only had to do this more recently, and they haven't really perfected it.
I don't think he's specifically referring to POSIX compliance in the current OSX, but I can certainly attest to my experiences with A/UX (the original Mac OS/Unix hybrid OS) and say that POSIX compliance was also a minor issue - perhaps not so much for a Unix, but it's other stuff that they let slip. I don't use OSX as I don't have a Mac but I wouldn't be surprised if they're focusing on the insanely great bits to the detriment of stuff under the hood, as has happened before.
I find the title highly sensational and misleading. Of course it was hacked in seconds given a prepared exploit, I would be shocked if it took the computer longer than that to execute the exploit code.
It did take FF/IE only seconds to 'get exploited', but it was more than a few seconds after the start of the contest... In short -- the guy with the Safari exploit went first.
Yup, I'm at CanSecWest now. This doesn't say much except that he just brought a ready, armed exploit and just took the prize. Nils' breaking of the browser trifecta was quite impressive though.
Bringing a pre-made exploit to a contest like this kind of dodges the point of the competition.
Maybe an exploit contest could be started after each browser revision, where winning submissions must be exploiting a bug introduced by that version of the software.
I don't understand what you think the point of the competition is, or what the point would be to concealing latent vulnerabilities introduced by older versions of Safari that remained present in newer versions.
While I definitely agree with you, I also think that Apple should start more seriously addressing these kinds of problems. So far, unlike Microsoft, they've been very slow to respond. (I'm an Apple-user.)
I just got a MacBook (my first). Previously, in Windows land, I logged in as a Limited User all the time (and saved Adminiatrator access for what it should be used for - adding printers, installing software).
On the Apple, I run Security Update habitually. What software
for virus scanning, additional protection do you recommend?
Second one's a trojan. First one's a worm; it doesn't actually infect files or disks the way viruses did "back in the day". It relies on tricking the user into executing a program when the user is not expecting to be executing a program.
Compare to Windows worms that run automatically, or viruses for Microsoft platforms that infect files that are commonly shared.
I repeat my statement that you don't need anti-virus on the Mac. You simply need to have common sense.
I don't think it's too naive of a viewpoint. There are legitimate security concerns on the Mac, just as there are on other operating systems. My point was that you don't need cpu-cycle-sucking memory-resident antivirus programs the way you do on Windows.
Worm, trojan, whatever - I didn't read the links, I left that for you to do :)
> You simply need to have common sense.
I ran Windows ME (of all things) for several years with no AV, using just common sense. So, you don't "need" AV in Windows, but I would definitely recommend it.
Although I agree with what you're getting at, both your original comment and this one seems to be relying heavily on stereotypes more than actual fact. That's what I think is naive.
Microsoft is getting better when it comes to default lockdown modes (Vista) but I believe Administrator by default is the reason why Conficker et al and botnets exist.
I can't think of any good reason why the average home user needs to run as Administrative user, other than convenience.
I have to "administer" my dad's old computer and I gave him a Limited User account. Yes, he complains about not being to install some software his friends email but no viruses, no spyware. Cuts down on support calls and unnecessary trips home.
This is frustrating for me. I've become very accustomed to the speed and interface of Safari, but the security-conscious part of me says the only rational response to this article is to stop using Safari for general surfing and switch to Firefox, which seems to be lacking any major crash holes right now.
But every time I fire up Firefox my entire body cringes at the sluggishness. For many Mac users, myself included, this is going to be a real test of discipline.
In good news, the security conscious part of you needs to stop browsing the web in a graphical browser now, because all the competitors were also hacked in a similar manner :).
Yeah, it seems to take Firefox more than 0.5 seconds to open a new window, where as Safari is as close to instant as I can imagine. That's what really annoys me about using Firefox.
(I used to sell Next software for about 6 months and got to use a NextStation every day. Very cool - later at another company I got to speak with the GUI designer Keith Ohlfs and personally thank him for the best copmuter experience I ever had.)
For instance, NextStep's POSIX interface was broken and thus, Next was not able to compete against the then-very-inferior SunOS in government contracts (because POSIX compliance was a requirement).
Instead, Next did win in CIA/NSA and other exempt contracts where the solution was considered to be "custom" and thus didn't have to follow the standards.
It probably would have taken a competent Next programmer a few weeks to fix the POSIX layer - but since POSIX was viewed as "dumb" it was never made a priority.
Apple is letting some of the boring stuff slip - which is a danger sign. Programmers at Apple can't all be programming the cool CoverFlow stuff and ignoring the "guts".