lucky13

Apple will release their highly-advertised and highly-coveted iPhone a week from today. With all the clamor about how nifty it is, I think it’s time for a reality check. And I don’t mean how much an iPhone will cost upfront, or how owners and users will be locked into multiple subscriptions (AT&T will require a two-year service contract, Apple will require iTunes subscription, etc.).

I mean, How secure is OSX.

Apple products, aside from iPod, have never garnered enough use to warrant the kind of onslaught Windows has faced from hackers. I think iPhone is about to change that.

Why do people rob banks? That’s where the money is. Hackers attack Windows because of its prevalence. It helps that it’s historically been so vulnerable to system compromise, but it’s not attacked simply because it’s vulnerable. Windows is hacked because it dominates desktops, laptops, and has a sizable share of other devices like phones and PDAs. Hackers generally don’t target OSX because 5% of the market — and it’s actually a lucrative 5% of the market given Apple’s demographics — isn’t worth the hassle when 95% of the market is awash in Windows. Windows is where the money is.

If iPhone really is all the rage, suddenly mobile phones running OSX become a legitimate target. That can change the dynamics because all of a sudden Apple will have their OS on devices in a lot of hands, which means hackers will have more reason to probe and exploit vulnerabilities in OSX.

And for the same reasons they attack Windows computers.

Many people already use smartphones for managing the content of their lives. Banking transactions can be carried out via Java applets. Other personal data are transmitted. Some of it’s encrypted. A lot of web use, though, isn’t.

Apple has yet to address questions about security related to iPhone. So has AT&T. The only articles I found in searching for those company names along with iPhone and security this morning relate to stepped up loss-prevention in AT&T and Apple stores next week. I haven’t found very much about securing data on iPhones or across networks.

Most of the security articles I’ve found about iPhone, in fact, deal with how IT professionals are implementing policies about iPhone use on their networks. In many cases, they’re pre-emptively banning them from their networks.

Aside from bashing Microsoft in silly ads, Apple doesn’t have much experience with security. They’ve lived in their sheltered world with a comfort that comes from a small slice of the market, not from inherently safer code. The release of Safari for Windows — yes, I know it was pre-beta — shows that they’re not on the ball. To their credit, they released their first security patches within 96 hours. But Apple won’t get away with reactive security on mobile devices like that.

I linked to articles about Dino Dai Zovi’s nine-hour pwn of a MacBook at CanSecWest (see Apple Sucks). It took people like Aviv Raff and Thor Larholm less time to find holes in Safari for Windows.

With the iPhone, there will be a lot more eyes looking for exploits in OSX. The exploits are already there.

The iPhone could very well turn into the iPwn.

George Belotsky has an interesting and forward-looking article at OnLamp about moving Linux to a web-based operating system. This approach isn’t particularly novel — there are some web-based operating systems in development — but Belotsky envisions moving a lot of what comprises a normal distro into web-based services like Google Apps.

One area where I agree with him is that the post-PC era is upon us and mobile devices will reign. Where I disagree is that Web 2.0 is going to be up to the task of fulfilling demands of individuals and businesses. As he correctly notes, many of the services now available are too insecure (and too unreliable) to be acceptable replacements for traditional software.

I also think browsers already define the desktop experience and will continue to become more important. Belotsky notes that there is talk in the Mozilla development community about extending XUL beyond the browser and onto the desktop (or mobile device desktop). They’re not alone. Sun has tried this before with Java without much success on desktops — but they’re increasingly important in mobile phone technology. I think Sun will continue to dominate as they increasingly open their code and put out products like JavaFX, the release of which I wrote about earlier today.

Belotsky also covers other existing tools that would allow for a hybrid web-based OS to be built atop Linux as a local client. The local client would feature the kernel and compilation of applications run locally and used to access those shared on the web, where applications could be used via the browser.

I agree with Belotsky that providers will be able to offer myriad set-ups to consumers. My concerns, though, remain focused on the security of such arrangements. Web-based services will have to both guarantee availability and provide adequate protection to their users — that’s something that will rely on a Catch-22 between consumers’ wanting secure web-based services and their willingness to actually pay companies enough to make it more secure (the false comfort of the status quo, while not ideal, is where most people will elect to remain because people are resistant to change). The Internet is already a hostile place when it comes to issues like data security and privacy. Moving everything to the web will only invite more invasions of privacy, so companies offering software-as-service will have to move quickly to establish credibility.

Sun has released their new JavaFX scripting language they claim will allow “content developers to leverage the enormous popularity of Java to create rich applications and services for deployment on the widest range of platforms - from mobile devices to set-top boxes and Blu-ray DVDs to desktops.”

Benefits
* Increases developer productivity
* Offers an intuitive language design
* Requires less code
* Enables faster development cycles
* Zero loss of functionality across devices

Sun is continuing their move to open source licensing with their products. OpenJFX is open for business and includes JavaFX Script and JavaFX Mobile, which is a mobile-centric development platform built around Java and Linux and builds on Sun’s IP from their acquisition of SavaJe Technologies.

Sun is announcing today that they’ve completed re-licensing — to GPL version 2 — the core of Java. With this move, Sun hopes to get some help with the rest that isn’t yet GPLed:

Sun hopes the open-source community will help it resolve the issue of Java source code that remains “encumbered,” where Sun doesn’t hold enough rights to release the code under GPLv2, according to Rich Sands, community marketing manager for OpenJDK community at Sun. While he declined to put a percentage on how much of Java’s 6.5 million lines of code are encumbered, Sands said the issue was primarily with Java 2D graphics technology, particularly around font and graphics rasterizing. While open-source alternatives are already available, they don’t currently support all the necessary features of the Java 2D API (application programming interface).

This is a good move by Sun to get Java embedded in scaled Linux (i.e., handhelds and smartphones) projects, as well as by distros like Ubuntu.

Sun is working closely with Canonical, parent company of Ubuntu, to get Sun’s Java platforms (and other technologies) into Ubuntu’s multiverse repository. Open sourcing of Java continues to be a roadblock to getting Java into the main repository, but Sun is moving quickly to do that.

Included are packages for Netbeans, Glassfish, Java SE, and Java DB 10.2. These will be for Feisty Fawn only, not backported to Dapper Drake or Edgy Eft.

Sun hopes this spur new Java development in the Linux universe, and that other distros — including Debian — will fall on board. Why shouldn’t it? Ian Murdoch just went to work for Sun.