undefined | Better HN

0 pointsfeelix10y ago0 comments

Apart from that it doesn't get you any additional protection whatsoever. With all the root OS X exploits floating around that bust you out of the sandbox as well as giving you full system access, as someone that has several utilities on the Mac App Store, it would be trivial to put an app there that gets set off by a timer, exploits root, and wreaks havoc.

Source: https://www.google.com/search?q=os+x+root+exploit&gws_rd=ssl

0 comments

stouset10y ago

This is a totally unproductive (if all too common) attitude toward security. "If it doesn't solve every problem, it's useless."

This protects against a whole host of issues. It safeguards against garden-variety incompetence[1]. It provides some defense against the large number of badly-intentioned people who can write an Objective-C app, but don't have the expertise necessary to weaponize a typical root escalation exploit. It prevents apps from accessing your contacts, reading your emails, determining your location, and accessing the webcam and mic without your knowledge, amongst other things.

Does it protect against a motivated, highly technical attacker? No, not really. But that hardly makes it useless.

[1]: http://www.macobserver.com/news/98/december/981229/bungierec...

s73v3r10y ago

Not to mention that exploit will be fixed soon.

feelixOP10y ago

>It safeguards against garden-variety incompetence[1]. It provides some defense against the large number of badly-intentioned people who can write an Objective-C app

The exploits tend to be trivial, often trivial enough to fit into a single tweet. (https://twitter.com/i0n1c/status/623727538234368000) They require no competence to use.

As for protecting against incompetence and mistakes, that is far too an extreme of a measure solely to protect against that. Some decent QA will fix that.

So what is the point, really, of sandboxing if it does not thwart highly technical attackers? It severely limits the functioning of apps, makes it far more difficult for app developers (myself included), and for what benefit that could be worth the trade off?

https://www.google.com/search?q=developers+leaving+%22mac+ap...

cthulha10y ago

> So what is the point, really, of sandboxing if it does not thwart highly technical attackers?

It thwarts the attackers who aren't highly technical, and frustrating the script kiddies could have flow on effects when beginner attackers don't get the reinforcement to motivate themselves to refine and build their skills.

Secondly, exploits can be patched over time. Ten years from now, is OS X going to be better off for having the sandbox? Do you expect a lot of trivial exploits to be discovered after another century of person-hours are invested in the sandbox?

zoul10y ago

I mean I can easily install an app to try it out, then uninstall and be reasonably sure it’s completely gone, without changing the rest of the system by incompetence or ignorance. That’s still pretty good. If the developer wants to harm you intentionally, that’s tough game on any system.

kstrauser10y ago

Your logic holds true for things like filesystem permissions and even separate user accounts. Since a privilege escalation exploit could give you root access, might as well do away with limited users and run everything as root to begin with, right?

And yet we do those things anyway. The idea is defense in depth, such that if one mechanism fails then hopefully another will mitigate the damage. Sandboxing isn't perfect, but it's another layer of security and I'd rather have it than not.

marcosscriven10y ago

Hence https://en.wikipedia.org/wiki/System_Integrity_Protection

super_mario10y ago

Which is completely pointless. If a hacker wants to hack your system, the very last thing they want to do is destroy your OS. Who cares about the OS, it's just one re-install away and you got it back. If a hacker were to hack into your system they would want your data, your passwords, your bank account details etc. Or they would want to use your system to do illegal things that look like you did it.

It's in the best interest of the hacker that broke into your system that your system continues to work flawlessly for both you and the hacker. This is why Mac OS X "rootless" is just yet another obstacle for the power user, yet another obstacle when compiling and installing POSIX code from source, and yet another step closer to locking down OS X to be an appliance like iOS.

eridius10y ago

The point of rootless (SIP) is to prevent malware from being able to embed itself into the system such that it's difficult or impossible to remove. And it's also a completely different technology than sandboxing.

1 more reply

azag010y ago

The point of rootless is that doing privilege escalation attacks will be much more difficult

dasil00310y ago

Except you have get through Apple's code review and then once you activate Apple can push a button and wipe out all the installs with a single button push.

Yeah, cracking is asymmetric warfare that we have no hope of winning, I think anyone with any knowledge of computers realizes that is true. It doesn't mean we should smugly shoot down anything that makes it incrementally harder.

feelixOP10y ago

That is nothing that cannot be trivially obviated with a date check before doing bad stuff.

chc10y ago

That seems to be orthogonal to the sandbox, which is the measure under criticism here.

j / k navigate · click thread line to collapse

0 comments

stouset10y ago

This is a totally unproductive (if all too common) attitude toward security. "If it doesn't solve every problem, it's useless."

Does it protect against a motivated, highly technical attacker? No, not really. But that hardly makes it useless.

[1]: http://www.macobserver.com/news/98/december/981229/bungierec...

s73v3r10y ago

Not to mention that exploit will be fixed soon.

feelixOP10y ago

>It safeguards against garden-variety incompetence[1]. It provides some defense against the large number of badly-intentioned people who can write an Objective-C app

The exploits tend to be trivial, often trivial enough to fit into a single tweet. (https://twitter.com/i0n1c/status/623727538234368000) They require no competence to use.

As for protecting against incompetence and mistakes, that is far too an extreme of a measure solely to protect against that. Some decent QA will fix that.

https://www.google.com/search?q=developers+leaving+%22mac+ap...

cthulha10y ago

> So what is the point, really, of sandboxing if it does not thwart highly technical attackers?

zoul10y ago

kstrauser10y ago

marcosscriven10y ago

Hence https://en.wikipedia.org/wiki/System_Integrity_Protection

super_mario10y ago

eridius10y ago

1 more reply

azag010y ago

The point of rootless is that doing privilege escalation attacks will be much more difficult

dasil00310y ago

Except you have get through Apple's code review and then once you activate Apple can push a button and wipe out all the installs with a single button push.

feelixOP10y ago

That is nothing that cannot be trivially obviated with a date check before doing bad stuff.

chc10y ago

That seems to be orthogonal to the sandbox, which is the measure under criticism here.

j / k navigate · click thread line to collapse