Apple snags ex-OLPC security chief

[ http://blogs.zdnet.com/security/?p=3358 ]

May 13, 2006

Former director of security architecture at One Laptop per Child (OLPC) Ivan Krstic has joined Apple to help thwart hacker attacks against the Mac operating system.

Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it’s rather trivial to launch exploits against the Mac.

[PJ: That is the very opposite of "public knowledge, by the way. The US military has said publicly it sometimes uses Macs, for enhanced security.] - ZDNet

Apple snags ex-OLPC security chief

By Anonymous [ http://tinyurl.com/pg9s2w ]

May 14 2009

More detailed stories at AppleInsider,
http://www.appleinsider.com/articles/09/05/13/
see also Krstic's own blog
http://radian.org/notebook/

PJ, I don't quite get your aside on Mac security. The US military may well use Macs for "enhanced" security, better than Windows, especially for non-computer-savvy users who are trained, disciplined and follow the rules. Recent events have demonstrated that social engineering trojans are quite successful against Mac users. While MacOS 10.5 introduced signed code, it is not mandatory. Unsigned code can still be happily run.

The 10.5.7 update this week fixed 67 CVE notified vulnerabilities, plus one unnotified. The breakdown of those 67 includes:
Apache 3
Bind 1
enscript 4
Flash Player 3
IPSec 2
Kerberos 4
libxml 1
Net-SNMP 1
Open SSL 1
PHP 8
ruby 6
X11 6
That's 37, over half in third party, open source products. I'm not putting any blame on open source, in fact the opposite holds, that Apple have dug themselves a hole by using a mixed system of open and closed source code, where all the open source patches must be tested against their closed system before releasing to customers. While the testing happens is a window of opportunity for bad guys.

5:51 PM EDT

Apple snags ex-OLPC security chief

By PJ [ http://tinyurl.com/pskh7f ]

May 14 2009

social engineering points not to the OS but primarily to the user

pretending that Apple products are as vulnerable as MS stuff is part of the FUD that makes me throw up, because it is nonsense

how do I know? I've used them both

09:18 PM EDT