Sending a message to users that floats above everything

Richard Gaskin ambassador at fourthworld.com
Wed Aug 23 17:19:30 EDT 2017 

Bob Sneidar wrote:

 >> On Aug 23, 2017, at 13:23 , Richard Gaskin wrote:
 >>
 >> Stock Android is safer than just about any desktop OS, including
 >> macOS.
 >
 > Gotta disagree there. Not sure how you would quantify it either.

Without quantification there would be no objective means to see if you 
had grounds to disagree. :)

In general desktop OSes have a larger attack surface than mobile OSes, 
and are often laden with legacy subsystems.

On macOS the problem is compounded in a few packages by Apple's decision 
to not deploy anything using GPLv3 (apparently they're not fans of the 
patent assertion clause), so for example the version of rsync included 
is years out of date and includes known vulnerabilities fixed in more 
recent versions.

If one were serious about security in a desktop OS (nope, don't have a 
quantification method for "serious" either <g>), consider Qubes, where 
apps are run in dynamically-instantiated containers, along with other 
built-in safety measures:
<https://www.qubes-os.org/>

Don't get me wrong:  macOS, and even OS X before it, are quite good. 
And as Google delivers it, so is Android.

(The older Mac OS -- v9 and earlier -- was a different story, but 
thankfully almost no one bothered to exploit its many holes.)


 > I have yet to see an exploit for OS X that elevated priveleges,

I find O'Reilly's Security Newsletter helpful 
(<http://www.oreilly.com/security/newsletter>), along with adding 
"computer security" and "cybersecurity" to my news aggregators like 
Google News.

Sean Martin and the rest of the crew at ITSP Magazine deliver a steady 
stream of useful stuff too:
<https://itspmagazine.com/>

But here I just did a Google search - this was the first one I found:

    Get root on an OS X 10.10 Mac: The exploit is so trivial it fits
    in a tweet; If you want it fixed, upgrade to the El Capitan beta
<https://www.theregister.co.uk/2015/07/22/os_x_root_hole/>


 > allowed software to be installed silently,

If they elevate privileges they can install what they want.


 > and didn't require user interaction of some sort.

Of course.  Turn off any device and the device becomes 100% safe. :)


 > Lots of press, but when you get down to where they talk about the
 > delivery and payload (and they may not do that at ALL) someone has
 > to click something.

Exactly my point, as it pretty much applies to all OSes and the 
reporting on them from click-hungry publishers.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com

More information about the use-livecode mailing list