Apple hires former OLPC security architect

Ivan Krstic

(Credit: OLPCNews.com)

Ivan Krstic is upgrading from working on $100 laptops. Beginning this week, the former security architect for the One Laptop Per Child project is working for Apple.

He wrote about the move to Apple on his personal blog. Krstic was the architect of the Bitfrost security specification used by OLPC for passwords, hard drive encryption, machine authentication, security updates, and prevention of data loss. He will be working on core operating system security in Cupertino.

Though OLPC isn't a large platform that hackers are known for targeting, it's likely the way that Krstic thinks about security that attracted Apple's interest. As ZDNet notes:

Instead of blocking specific viruses, the system (Bitfrost) sequesters every program on the computer in a separate virtual operating system, preventing any program from damaging the computer, stealing files, or spying on the user. Viruses are left isolated and impotent, unable to execute their code.

According to Krstic, that "defeats the entire purpose" of creating a virus.

[monkeyfun14]

If that is the case that would lead some to assume Apple knows that it is currently possible for Viruses to run on OSX.

[Angmarr]

no way blasphemy, Steve jobs will smite you with an i-bolt!

[Mr. Dee]

Somebody had to speak the truth.

[rocketjam--2008]

Of course they know it. Knowledgeable Mac users know it too. But they don't have to spend a lot of time worrying about it.

[kcotham]

See Angmarr, that remark you just made, that's an example of trolling. Just incase you didn't know.

rocketjam--2008 is correct, any system is vulnerable, to varying degrees.

[Angmarr]

@ kcotham

dude you seriously need to Chilllll

[technewsjunkie]

Of course they do. They never denied that nor have any Mac users.

Bomb thrower.

[kcotham]

@Angmarr,
I'll "chill" as you put it, when you grow up.

[Angmarr]

lost cause = P

[monkeyfun14]

@technews

Never denied getting viruses?

Have you been living under a rock?

[Dalkorian]

Dare I point out the facts to the trolls here? Sure, OS X should be capable of having a virus written for it (*nix has had viruses before and OS X is basically a candy interface on top of a flavor of OpenBSD). I might get shot on the way home from work today too, but the chances of it happening are slim to none. OS X has had 5 different "iterations" over the last 9 years and to date there has been exactly zero viruses and zero worms written for the system. A number of trojan horses though, but nothing that self-replicates.

How many has that other system that will remain unnamed suffered in that time? How many has that other system that will remain unnamed suffered in *HALF* that time?

We'll leave alone the confusion that the feces flinging monkey wants to cause by confusing "possible" for "getting".

Like has been said, somebody had to speak the truth.

[danielwsmithee]

Apple is well aware, along with almost all Apple users, that it is possible for Viruses to run on OS X.

That doesn't mean I'm going to run Anti-Virus software to avoid getting a Virus on my Mac. That would be like walking around outside with a bullet proof vest because I am afraid I might get shot at. The difficulty of wearing around a bullet proof vest outweighs the small risk of getting shot at. On a Mac the headaches of running Anti-Virus software outweighs the risk or actually encountering and being infected with a virus.

Running Windows without Anti-Virus software would be like walking down the street in Baghdad with an American Flag draped on your back without a bulletproof vest. The risk outweighs the hassle for Windows.

Every decision we make as humans is just a Risk vs. Reward analysis.

[kcotham]

Very good danielwsmithee, excellent analogy.

[slickuser]

LoL!

Repped!

[nguidry]

Is "walking down the street in Baghdad" a metaphor for surfing porn and less than honest sites? Even though I have Kaspersky on my computers, I have yet to get a virus alert. That's because I update my computer with security patches when the are released and don't go to "questionable" sites. And, yes, OS X does security patches too.

Informed users don't get viruses. Uniformed users that believe they are immune to exploits are the ones that pay Geek Squad to fix their computer.

[santuccie]

@danielwsmithee:

You're absolutely right. But I hope you're aware that there is a Mac botnet out there now, and it's been demonstrated three times at CanSecWest that drive-by downloads work on the Mac. Bot herders in Russia may not know yet how to do this (they've been focusing on the OS that will yield the most hits), but they know it's being done, and will eventually figure out how to do it themselves. I wouldn't suggest running antivirus MONITORS on your system quite yet, but it might not be a bad idea to have at least a couple of on-demand scanners to check your system every now and again.

@nguidry:

I'm afraid you yourself are uninformed, at least as far as the status quo to date. There are about as many legitimate sites being compromised as there are hostile sites being launched by the criminals themselves. Thing is, legitimate sites have established reputations and user bases; they get a LOT more hits. Conficker has infected some 3-15 million machines. If you're running Vista, and have UAC enabled, then you're probably not infected with Conficker or Mebroot. But if you're running XP, you might want to download a copy GMER, and run a quick check. It will take all of 10 seconds. When you're certain your system is clean (at least not rootkitted), you could further secure it using the suggestions here: http://invincible-windows.blogspot.com/

Hope this helps!

[kcotham]

As per usual, the trolls steer the conversation away from the story. This is a good thing, for everyone. If Apple is hiring people with specific skills in computer security, that means that they are thinking proactively. The fewer machines that a virus (or other malware) can run on, the smaller it's overall effect. And that is good for everyone, whether you run Mac OS X or not.

[Vegaman_Dan]

@kcotham:

I hope you realize you were one of those very trolls you referred to?

[kcotham]

No, look up trolling. I have not been engaging in that activity. I've merely been refuting lies spread by trolls.

[santuccie]

What lies? Is iBotnet a lie? Is it a lie that Dino Dai Zovi was able to remotely take control of a Mac in 2007, and then Charlie Miller this year and last?

There are no Mac drive-by downloads in the wild yet, because Russian bot herders don't know the operating system well enough to do what security researchers have been doing at CanSecWest. But now that they know it can be done, they'll be working on learning how. Like you said, good thing for everyone that Apple is taking action now, before an iConficker comes out.

[js.matrix]

@kcotham - Good analysis. Apple is being proactive. I just left the following comment to a couple of my friends on skype in the same vein....

Apple's advanced and innovative strategies, here is one more reason...
why Apple will continue to be a superior,  and SECURE  operating system over Windows.
http://news.cnet.com/8301-13579_3-10240242-37.html?part=rss&subj=news&tag=2547-1040_3-0-5

The occasional recent virus or occasional trojan that people use as an excuse for OS-X now to be targeted with increasing growth and popularity, Apple is NOT one to sit back on it's haunches and wimp.  
You won't get me back to Windows again,  at least not on an mainstream basis, for quite some time to come.  Such articles as this instill confidence for me in the operating system. ( = OS-X)

[kcotham]

Thanks js.matrix.

[nguidry]

What??? You realize Microsoft has been doing security updates since Windows 98 right? And all during that time, Apple users have based MS because of the constant patching. Now that Apple is having to do the same thing MS is doing, they are now innovative??? Quite hypocritical isn't it?

[kcotham]

All operating systems have periodic updates. None is perfect and none is "complete".

[santuccie]

@js.matrix:

Actually, Vista is more secure than OS X. Now, if Ivan Krstic implements a Mac counterpart of the XO's security technology, I'd agree that the tables will turn right back over in Apple's favor. But in the meantime, Vista is safe from drive-by downloads as long as UAC is enabled (Haute Secure or GeSWall could be added for a double-barrier), while Apple has the obscurity advantage. And as for XP and 2K, they can be fortified in a few easy steps: http://invincible-windows.blogspot.com/ Hope this helps, and stay safe!

[InklingBooks]

He's a natural for Apple. Look at that OLPC prototype. They got the logo wrong exactly like Apple initially did. It's positioned for a user looking at a laptop with the lid closed. Open the lid and for anyone looking at it, the logo is upside down. Apple's was an upside down apple. This is an upside down stylized kid.

Let's hope any new security techniques Krstic develops are open sourced so other Unix-based systems, including Linux, can use them.

[kcotham]

Maybe it's a kid doing a handstand!