http://applefun.blogspot.com/

One comment I have had (which I doubt will be approved as a comment
on the blog, since - other than technical posts - lmh only seems to
accept congratulatory comments), and which I am curious to have
feedback on from the list and Kevin in particular is this, below,
which was in response to lmh saying:

> It's a matter of time to see this getting abused in the wild.
> Hopefully, due to exploits being released for every critical issue,
> the usual 'not a problem' claims will vanish (unless the guy is a
> total retard).

lmh,

Of course there will be exploitable issues. It's only a matter of
time to see *any* issue being "abused" in the wild. What's curious to
me is you're speaking of, for instance, this rtsp issue like it's
something manifestly new or unique (I know it's a "new" issue itself;
that's not what I'm saying). We've seen issues to date that have
allowed arbitrary code execution by a user just, for example,
visiting a malicious web page. And then, Apple fixes the issue. What
more do we want or expect?

I know you and others are on this kick of wanting to "prove" that Mac
OS X is "insecure". But I don't know what it proves, exactly. That
all large software projects and operating systems have bugs? No
reasonable person says that Mac OS X is invulnerable or has no bugs.
That would be absolutely ludicrous. And ordinary users don't
understand anyway, even when you show them something like this.

What people do understand is machines getting hit with malware on a
routine basis, or getting owned completely from remote in an
automated fashion, with no user interaction whatsoever, which, as I'm
sure you're aware, has happened numerous times, often with far-
reaching consequences of downtime, data loss, cleanup and
remediation, and recovery, on the "other" desktop platform.

The real bottom line today and ever since Mac OS X was released is
this: has the Mac OS X userbase to date, or will it realistically in
the future based on past performance, be affected either:

1.) in absolute numbers, or
2.) as a percentage of the total userbase

on a greater scale (or anywhere NEAR) anything we've seen affect the
Windows platform?

I guess I'm curious with what your exact beef is: is it ordinary
users (correctly) thinking that Mac OS X is [insert some amount here]
more secure, from a practical perspective, than Windows?

Is it Apple's type/speed/thoroughness of response to security issues,
once reported or revealed?

Is it Apple (again, correctly, from a practical perspective)
insinuating the level of security on comparison to Windows in its
commercials?

Is it Apple's legacy code, which is rife with various opportunities
for exploits?

What would possibly be more productive here, and what you also didn't
answer in the FAQ, is what precise actions you think Apple should be
taking to remedy, for example, bugs that it is not aware of.

Should it create new teams specifically to do code audits and find
vulnerabilities proactively?

Should it make public comment on security issues before it has
provided a patch or fix?

Should it provide more granular separate fixes and workarounds more
quickly for individual issues, instead of waiting to roll them into
the next security or OS update?

Also helpful would be some kind of outline of what you believe Apple
is doing *wrong*, right now, on the security front.

And yes, I could make my own list. But I'm more curious about what
you think. I'm also curious whether you recognize that, while there
is still a long way to go, Apple has indeed greatly improved its
response to security issues in direct response to complaints and
feedback it has received from the enterprise/institutional community
(e.g., via Apple University Executive Forum and MacEnterprise.org)?
As a direct result, Apple started making detailed reports (at last
far more detailed than they were before) of each issue addressed or
fixed, links to (or creates) advisories where available (e.g., US-
CERT, Secunia, MITRE), has made security updates more granular than
they were in the past, and so on. As I said, yes, a long way to go.

So is this effort aimed at improving Apple's response, or at
"shutting up" people who you would characterize as "fanboys"?

Regards,

Dave Schroeder
University of Wisconsin - Madison
das (at) doit.wisc (dot) edu [email concealed]
http://das.doit.wisc.edu/0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?,0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 

0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?Ù
xmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070102160657Z0# *?H?÷

1?~iǝ¥®Z¡??%¤!/??0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷



?^iB×ÇYÛBKàdr¤ÍÞ¶[ý)½?ã>øEÎ?õÂ
HF÷rÛC}(?8r?^p?^¬ñ3?eü¯éV?Î[Û.??õ;!ÚwîRâ)?ªrv0vä½2¨Qã?·î[ú_l³æ±h?
9?oÑY¿­°Oµ× õa?nô)

[ reply ]