Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Amen to this! Another element that makes OSX the least secure OS is the user base. Windows and Linux/Unix users are accustomed to having to patch, scan, firewall, and secure their OSes. The people who use Apple are largely not educated about security (not all the users, but most of them). I've been at the Apple store and heard some retired customers, who clearly were not tech savvy, ask the "Genius" if they needed to purchase Antivirus. The Genius said "Nope... Antivirus is only something to make you feel safe." On Mon, May 7, 2012 at 2:55 PM, Richard Pieri <richard.pieri at gmail.com>wrote: > We've all heard about Flashback, an exploit that starts from a security > hole in older versions of Java, a hole that Oracle patched months before > Apple got around to fixing the version they distribute. I let that slide > because Java isn't Apple's product. > > Today, Apple's "most secure operating system" has been caught with its > pants around its ankles. If you've read Slashdot then you know about the > Legacy FileVault cleartext password logging debug flag. That's not what > I'm on about but it is related. > > What I'm on about is the fact that this code exists in the released > versions of the OS and updates. I understand the need for debugging in the > development context. The root of the problem is that this is implemented > as a debugging flag rather than a compilation switch. Code like this > shouldn't be in release. It should be completely skipped in release builds > so that the code path can't be exploited. An attacker can't exploit > something that doesn't exist. > > Unlike the Flashback exploit, this one is entirely Apple's fault. The > fact that this got into the released OS speaks volumes. First and most > obviously is that Apple's QA department doesn't take security seriously > enough. How the heck do you miss something like this, and continue to miss > it for three months straight? Carelessness or ignorance or both. > > Second is that Apple's developers don't take security as seriously as they > should. FileVault is one of the critical pieces of security infrastructure > in their flagship operating system and they treat password exposure as an > on/off switch. This isn't just the login password. It's the Keychain > password. It really is the key to a user's kingdom. And they forget to > turn it off. Carelessness and ignorance again. > > Apple recently removed Samba from OS X and replaced it with an SMB server > and client developed in-house. I cannot help but wonder if Apple's SMB > implementation has the same kinds of security-destroying debug toggles in > it. I wonder the same about iOS since it shares everything underneath the > UI layers. > > I used to describe Macintosh as the best Unix desktop in the world. As of > today I describe Macintosh as the most dangerous operating system in the > world. It's not the recent, highly-publicized flaws in it. Rather, it's > the philosophies, the carelessness and ignorance, that permitted them to > occur in the first place. Security holes can be fixed, but bad design is > forever. > > -- > Rich P. > ______________________________**_________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/**listinfo/discuss<http://lists.blu.org/mailman/listinfo/discuss> > -- Chris O'Connell http://outlookoutbox.blogspot.com
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |