[kman42]

With the incredible outlash from the media with these two worms/viruses of the last week and with the attention being paid to Microsoft security woes and their upcoming 'solutions' in Vista, I'm wondering if Apple will introduce a suite of security features in Leopard that will go to the next level before MS can get there. What are the next big movements in home and server level security?

I don't know anything about this sort of thing, so I'm interested in hearing what the technologies are and how Apple could implement them to create some marketable advantage. I've started using the .mac certificates with iChat and Mail. Are there similar 'easy' things that could be included around the system? Is there a way that Apple can centralize Security in the UI to make these easier for the average user? Are there UNIX tools already present that Apple could tap into with their usual flair?

kman

[osxrules]

All Apple needs to do is protect folders that are critical to the running of the system (Library, System and the unix folders) and warn of any changes to them. Also, they could make the installer software more interactive on a similar level to Pacifist so that it can't just take your password and then do what it likes and give you no feedback.

There could also be tighter restrictions on running any new or unrecognised process. Viruses tend to have to be executable code and I doubt many users run more than a handful of recognised apps in which case, an unrecognised process could be stopped in its tracks.

Of course, there's no real way to stop malicious code. For example, someone could conceal a script that deletes your home folder no matter what permissions you have and it's not necessarily dangerous but it's a major pain in the ass to fix if you keep a lot of data like itunes playlists etc. in there.

The safest solution IMO is to keep a backup of your hard drive. If a virus goes crazy, it would take me about an hour to get back to normal. Maybe for people with large enough hard drives, Apple could offer an auto backup solution which stored your important data in a locked, super-duper user protected, compressed archive. Then if your are really getting screwed, you could boot from the installer and get the installer to put all your files back.

The biggest task is protecting stupid people from themselves and I fear that no one is capable of that.

[RevEvs]

Originally Posted by osxrules

All Apple needs to do is protect folders that are critical to the running of the system (Library, System and the unix folders) and warn of any changes to them.

Thats a great idea. Are they not protected now tho? i.e. do you have to put a password in to add/remove? I cant remember and am not on my mac at the moment

[osxrules]

Originally Posted by RevEvs

Thats a great idea. Are they not protected now tho? i.e. do you have to put a password in to add/remove? I cant remember and am not on my mac at the moment

Yes to a certain extent. The system folder needs a password but there are no warnings to say when it is modified. There are some apps for example that require a password and most people would just type it in. This app may say that it's installing something into some other protected folder but it could easily damage your system folder using the password and OS X wouldn't tell you.

I'm not saying it should always warn of changes to critical folders especially if some users modify them regularly but there could be an option so that most users will know when some critical damage could be done by a malicious process.

Most users should never have to modify the system folder in OS X so when a progam tries to change it, OS X should warn the user.

The Library folder is really designed to keep stuff that is system level but can be customized. That's why I hate when driver installers insist on placing extensions in the system extensions folder instead of the library one.

[Chuckit]

Originally Posted by osxrules

The Library folder is really designed to keep stuff that is system level but can be customized. That's why I hate when driver installers insist on placing extensions in the system extensions folder instead of the library one.

Unless something has changed recently, kexts in /Library/Extensions aren't loaded at boot time.

[osxrules]

Originally Posted by Chuckit

Unless something has changed recently, kexts in /Library/Extensions aren't loaded at boot time.

Yeah I think that's right and that's a good thing IMO. Sometimes I hear of people saying they can't boot into OS X and the cause is a kext trying to load at boot time.

I think to ensure a more stable system, 3rd party extensions should never load at boot time (OS 9 taught us that). I'm not sure there would be any need for them to do so anyway.

I hear that some Linux users now run the system from a CD so that it can never fail. That's a very good idea because it means that no matter what security flaw you get, it won't stop the system allowing you to repair any damage.

[Millennium]

Originally Posted by RevEvs

Thats a great idea. Are they not protected now tho? i.e. do you have to put a password in to add/remove? I cant remember and am not on my mac at the moment

If you're running as a normal user (as opposed to an Administrator), then yes. Apple should refine the wording a bit, to make it clearer what's going on, but the basics are sound. They should, however, require it for Administrators as well as regular users.

[P]

It's trivial to put Folder Actions on important folders to warn when they're modified. I think Apple should do this in the default installation.

[moonmonkey]

Originally Posted by P

It's trivial to put Folder Actions on important folders to warn when they're modified. I think Apple should do this in the default installation.

This is a great idea, I think the folder actions interface needs to be improved too, Apple should designate a "Downloads" folder with a specific set of folder actions.

I would also like to see Apple adding a trojian/malware scanner into software update (scanning using spotlight), everytime a peace of malware crops up they flick a switch and everyones computer automaticaly scans the hard disk for this file, and then presents the option to remove it. Evertime a file is added to the downloads folder, it is compared to the malware list too (using a folder action).

[Chuckit]

Folder Actions aren't on by default, are they?

[blackbird_1.0]

You have to enable them. When in the Finder (desktop), control-click (or right click). It brings up the contextual menu, and then choose "Enable Folder Actions" toward the bottom.

[sc_markt]

I wonder if it would be useful to have your computer notifiy you whenever someone logs in to it? Perhaps a small menubar light would light up and beep when somebody (known or unknown) logged in and if you click on the menubar light, it gives you information on who's logging in and where they are inside of your computer.

Mark