On Oct 27, 2008, at 9:20 PM, Brian Mastenbrook wrote: Jordan, I'm pretty sure I knew I was talking about capabilities, seeing as that's the exact word I used several times in a row :-)
Sometimes it's not clear, but glad to hear I won't be having to do a sales job on capabilities. ;-) Also, I'm well aware that it's not easy, which is why I made reference to spending some of those copious billions in cash. Sometimes you've got to invest to maintain a key advantage over your primary competitor.
You know, that had not occurred to us... I will suggest this to upper management immediately. They'll make me a VP for sure! :-)
Right now I am frankly very concerned that Apple is marching down a path that does nothing to address the ease with which something that manages to execute arbitrary code from the browser can become root on an average Mac. Nothing other than dumb luck is keeping drive-by malware off the platform right now.
Well, I also think you are taking a couple of threads of disagreement and weaving an entire sweater out of them here. It looks itchy. I think Apple's most recent efforts in sandboxing, code signing and verified downloads speak very much to the contrary, to say nothing of the security hardening work in many other areas. There is a lot more than "dumb luck" keeping malware off the platform, though, of course, it still remains the case that any substantially determined user can download and run any number of things, up to and including running them with admin privs. If, in other words, a user is determined to practice the computing equivalent of hanging out in Bangkok's red light district, they're going to catch something eventually and there's not a whole lot we can do about that without closing the system up so tightly that users who don't make a practice of grabbing random software from untrusted sources and running it will start grabbing the torches and the pitchforks in order to march down here to teach us a thing or two about practical security. It's a balancing act involving the intersection of people and computers, Brian, not something that conveniently reduces to an engineering problem you can just throw money at until it goes away. I am not a security professional. I spend very little time thinking about this beyond what is necessary to secure my own applications.
I could add something to this, but I think you've just said it all. If you are able to constrain it sufficiently, sure, any problem space becomes tractable.
Twice this year I have submitted security bugs which I have stumbled across that have allowed easy execution of arbitrary shell scripts from Safari without user interaction.
I wouldn't mind having the radar #s, so I can look at these as well. I'm not saying there are "no security bugs in the system" here by any means, but our past interaction also suggests that you tend to see a lot of "you need privilege X to do job Y" scenarios as architectural flaws, so much so that it almost seems like simply disconnecting your computer from the network (or AC power) would be the only way to reach the level of security nirvana you're seeking. I'm sure you don't actually feel that way, so clearly, we're somehow failing to communicate on some pretty fundamental level here and I'm not sure why.
- Jordan
|