Oh Dear Apple

Actually that quote from Apple is disturbing, as Safari does not query if it's a file or a program, at least not on the version I'm running on XP here (3.1). IE 7 and Firefox 2 both prompt me before downloading anything, whereas Safari just starts downloading without any warning at all. Is that the same for Mac users?
 
OK user interaction (as has been shown by the competition) is the key to getting control, but if you also realise Safari is the ONLY browser without phishing protection then IMO it's clearly the easiest target for phishing scams/remote browser exploits if there were enough people using it. Currently it's security through obscurity, and i'm on a Mac... using Safari... and can clearly admit that!

There was also an article recently that shows infact Apple are quite rubbish in patching security holes, whereas Microsoft have good relationships with the security community and get their patches out way quicker.

As also with Apple, some people will defend the company to the point they'll hack a security guys blog because he's had the shocking behaviour of detailing a security vulnerability in Mac OS X. Just ignore them, as they clearly are blinded.
 
Funnily enough, on this topic... I was in an Apple store a year or so ago and the guy there was trying his best to sell me one. He was opening multiple windows at once, running the 3D stuff (Expose is it?) and playing a movie. Very nice, I told him, but my Linux box already does all that and more, without the £1,000+ price tag. What can I actually DO with it?

He started telling me how Macs were immune to everything known to man, and laughed at me when I wondered out loud whether it was so good I'd relegate my Linux/XP dual boot PC to being a stand-alone firewall/router. He thought that was quite funny. Didn't I KNOW that Macs don't need firewalls? :rolleyes:

Yes they have a Unix (or more appropriately, BSD) based kernel, and look flashy etc, and I have no doubt they're quite easy to use. I'd happily use one and would even be tempted to buy a mini as a small home server if they weren't so damned expensive. I mean, it was nearly £500 to add 2GB of ram when I last looked LOL

Anyway I'm getting off topic - I certainly don't mean this as an anti-Mac post. Like I said I'd have no problems owning one and am used to working with Linux/BSD anyway.

I was just reminded of the cavalier attitude of the sales staff when I read this. One certainly has to wonder how many people have left that (and other?) Apple stores with their purchase in-hand, and never given a second thought to security because they thought they were "safe"?
 
I mean, it was nearly £500 to add 2GB of ram when I last looked LOL

When was that? 1995?

I was just reminded of the cavalier attitude of the sales staff when I read this. One certainly has to wonder how many people have left that (and other?) Apple stores with their purchase in-hand, and never given a second thought to security because they thought they were "safe"?

But that's just retail isn't. You get the same attitude in places we probably can't mention on here. Shops trying to sensationalize their products is standard practice and you can't help but come across staff with poor knowledge/experience in these environments.

IE: How many people have left Currys thinking that Norton 360 is all they need? Many users have walked out of places like that not even realising they have to activate their AV software to start protection. At least with Apple they appreciate that users need guidance even after they walk out of the store.
 
Last edited:
1995? No, the end of last year - so a couple of months ago ;) Yes I agree with the retail mentality statement, but the point I was making is Apple hype themselves up to be the answer to everything. They espouse that the staff in store aren't sales clerks on commission, but real 'geeks' who can help you find what's right for you. Last time I checked Curry's was just shifting numbers. I wouldn't expect "Gary" on the shop floor to know everything about every TV, hifi, sat nav and PC in the place. But when I go into a specialised (Apple) store, which sells only their OWN hardware and their OWN software, I don't expect to be blatantly lied to ;)

As I said not a total dig at Apple, it was just my experience of shopping with them. I left with a negative impression of the "brand" and the "community" (read: hype) behind it, but actually thoroughly impressed with the actual machines themselves. I think that's a fair/balanced assessment. I'm certainly no fanboi either way.
 
I think what gets people's backs up about Apple and the associated fanboyism is the attitude. Some Mac zealots will say they'll never get a virus running OSX because its totally secure... and in a sense they are correct, they probably wont, but they can still pass on a Windows virus to another Windows PC or fall foul of a phishing scam. Awareness is the key, and part of that awareness is knowing NO software system is 100% secure. That's a given. Its hard enough debugging a locking down a small program never mind an entire operating system.

One thing that irks me is when Apple seem to go OTT about selling security as a feature:

http://www.apple.com/getamac/viruses.html said:
Connecting a PC to the Internet using factory settings is like leaving your front door wide open with your valuables out on the coffee table. A Mac, on the other hand, shuts and locks the door, hides the key, and stores your valuables in a safe with a combination known only to you. You have to buy, configure, and maintain such basic protection on a PC.

Not entirely true that, is it? The Firewall is off by default and Safari automatically opens so-called "safe" files after downloading. The small-print also recommends antivirus software. You also have to tell Safari to "show status bar" to see where a hyperlink is actually taking you.

Now I'm not bashing Macs, I think they are great (I have three), but on the security front they are punching above their weight in my opinion. My worry is if the adoption of Macs start to gather some serious momentum their security department aren't going to be up to the job if the door gets seriously blown open.
 
OSX's best security feature by far is obscurity. It comes as no surprise this was found. Fortunately for us Mac users the chances of coming across something like this in the wild is insignificant.
.

OS X best security is the fact it uses an underlying UNIX core. Bad applications that have a too intimate relationship with said core are there own worse enemy!
 
OS X best security is the fact it uses an underlying UNIX core. Bad applications that have a too intimate relationship with said core are there own worse enemy!

True the UNIX structure complicates things for a potential attack if configured properly. Apple hiding root from OSX users is probably a good thing too.
 
according to daring fireball, it was a webkit security hole and has now been patched.

will expect an update to safari soon.

Yea it was a vulnerability in webkits regex parsing code which caused an integer overflow. http://trac.webkit.org/projects/webkit/changeset/31388

All these people saying it requires user interaction by clicking a link. Sure it does but you can trigger it from javascript any website which is vulnerable to XSS can be used as an attack vector. (A hell of a lot of the major sites are)

As mentioned above apple are lucky that people don't really bother to target them that much due to the their small userbase. Windows (vista) these days is actually much more secure and how it was compromised in this competition was because they were allowed to install flash (which is obviously not part of the base system like webkit is). (Man, never though I would praise vista hehe).

isn't it always the case that the only problem with software development is the user?
I guess the lesson here is to be sensible when clicking links and don't go wallying around on websites that you don't trust.

Sure there is always the human error. However insufficient code review/QA processes/developers not having a clue about security issues or too rushed to meet a deadline is always a problem.
 
Last edited:
Sure there is always the human error. However insufficient code review/QA processes/developers not having a clue about security issues or too rushed to meet a deadline is always a problem.

oh, absolutely! Don't get me wrong, I'm not excusing poor practices like this that seem to have fixes so quickly. It really makes me wonder how easy it would be to strip apart some of the stuff that I'm too rushed to check properly, and marketing try their best to get published without being tested properly. The company I work for can't be the only one that dangerously rushes their developers, either.
 
1995? No, the end of last year - so a couple of months ago ;) Yes I agree with the retail mentality statement, but the point I was making is Apple hype themselves up to be the answer to everything. They espouse that the staff in store aren't sales clerks on commission, but real 'geeks' who can help you find what's right for you. Last time I checked Curry's was just shifting numbers. I wouldn't expect "Gary" on the shop floor to know everything about every TV, hifi, sat nav and PC in the place. But when I go into a specialised (Apple) store, which sells only their OWN hardware and their OWN software, I don't expect to be blatantly lied to ;)

As I said not a total dig at Apple, it was just my experience of shopping with them. I left with a negative impression of the "brand" and the "community" (read: hype) behind it, but actually thoroughly impressed with the actual machines themselves. I think that's a fair/balanced assessment. I'm certainly no fanboi either way.
:p
I used to work on the shop floor for Apple Retail and I know from personal experience Apple don't go for the techie characters. Sure they bag a few of us egg heads who know what we're talking about but they absolutely love to hire creative types who can inspire customers on creating something with their Macs.

Unfortunatley, not all creative folks know whats important technology wise for their movie/music/photo editing software so bad advise can be passed out.

I agree with what you say about how you shouldn't be poorly advised but that goes hand in hand with retail and I know a lot of people can put up with a pressure sale from an Apple employee more easily than a pressure sale from a place like Purple Shirt world.

In fact judging from a recent advert from the purple shirt store they seem to throw specs at customers who blatantly don't have a clue what they mean in the hope to impress them in to buying the machines. If that happens in practice then it's beyond pathetic. No wonder people have a repressed opinion of computer hardware if they're buying the wrong things because they're too embarrassed to ask what the extra RAM will mean for them.

Anyway, a bit of a rant there. :p
 
:p
I used to work on the shop floor for Apple Retail and I know from personal experience Apple don't go for the techie characters. Sure they bag a few of us egg heads who know what we're talking about but they absolutely love to hire creative types who can inspire customers on creating something with their Macs.

Agree with that. They don't seem to be 'geniuses' at all.
 
Back
Top Bottom