Apple snags ex-OLPC security chief

Apple snags ex-OLPC security chief

Summary: Former director of security architecture at One Laptop per Child (OLPC) Ivan Krstic has joined Apple to help thwart hacker attacks against the Mac operating system.Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security.

TOPICS: Apple, Security

Former director of security architecture at One Laptop per Child (OLPC) Ivan Krstic has joined Apple to help thwart hacker attacks against the Mac operating system.

Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security.  His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac.

[SEE: Inside the $100 laptop's security spec ]

Krstic sees the OLPC's Bitfrost system as a foolproof way to defeat malware attacks so it's a safe bet he'll be working with Apple engineers on some form of sand-boxing of applications:

Instead of blocking specific viruses, the system (Bitfrost) sequesters every program on the computer in a separate virtual operating system, preventing any program from damaging the computer, stealing files, or spying on the user. Viruses are left isolated and impotent, unable to execute their code. "This defeats the entire purpose of writing a virus," says Krstic.

I've written in detail in the past about Apple's security-by-PR campaigns and the danger of assuming Macs are secure because hackers aren't targeting the operating system so it comes as pleasant news that the company appears serious about hiring top talent in the security world.

[ SEE: Apple bumper patch vindicates MOAB, MOKB hackers ]

Krstic is a no-BS software engineer who has done quality work in the past and his presence at Apple will only help.

Here's a talk that outlines Krstic's thinking around computer security.

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OLPC XO-2 is an Apple/Microsoft/Intel killer

    I am looking forward to the cheaper, lower
    power, secure, ARM based Android-Sugar laptops
    to be released at $75 each, and to see how that
    will trigger a new revolution in the tech
    industry effectively eliminating the monopolies
    of the 20th century PC/Laptop giants of Apple,
    Microsoft and Intel.
    • Don't hold your breathe

      You say you are looking forward. How far forward?
      Marcos El Malo
  • A Users Perspective

    Apple has been criticized for promoting a system that is
    more secure than PCs. I'm not sure this is what they've
    done. The message has always been the same one that
    appears in the latest round of ads. The
    message is? "with Apple, there far fewer consequences".
    Perhaps it's a crime of omission to leave out the reasons
    for this. The reasons have always been a more complex
    mix of monoculture issue, technical issues, market share
    issue, and simple malice. Those who would count
    vulnerabilities, or make this a purely technical issue, will
    continue to have too narrow a focus. Clearly malware has
    become as much a sociological issue as a technical one.
    Clearly users count consequences and not threats. Is this
    complacency? Is it good sense? Everyone has an opinion.

    This new approach to malware holds a lot of promise. Its
    the shift in thinking away from the walled city approach
    that should have been outside of consideration since Troy.
    The larger PC economy has benefit from the gold rush
    though. Lots of careers and businesses are
    derived from open architecture's complexities and failings.
    The security industry as a whole has to be accountable to
    users. At any given time, the malware dance has felt like a
    protection racket. If this new idea can be deployed, and
    work on OSX, it's a bit of a coup.

    As it stands, the pwn to own contest results, or the
    number of Mac vulnerabilities have not added up to
    meaningful consequences. It's not a brag, it's just a fact.
    Could they? Sure, but that may not be the point.
    It would take 10 years of stagnant security, a reversal in
    market share, and boatloads of malicious intent for the
    Mac record of consequences to come close to that of the
    PC. This has become a branding issue. Apple's made sure
    of it. It's caused some resentment. Apple doesn't owe IT a

    Ironically, a move away from monoculture means that
    irrespective of any new security improvements, the effect
    of malware is blunted and dissipated. Add these new
    initiatives like bitfrost, the future looks brighter still.

    Users are tired of threats. Vendors who deliver results will
    win. If bitfost works for Apple, it will "pardon" Apple's
    crime of omission and will freeze the platform's record of
    consequences at a miniscule level relative to the PC. Users
    won't care how it was done. Users will pay for
    this via an "Apple tax" beacause they know they've always
    paid for it. Security is worth paying for, everyone agrees.
    The question becomes the cost.

    OLPC innovations, and the initial impulse towards goodwill
    will be validated and rewarded. Many times in it's history,
    Apple has been technology's telethon. Whether one uses
    their gear or not, we all benefit from a mechanism that
    channels cash from the coffers of adult consumers, into
    progressive thinking.

    Harry Bardal
  • No need for his work at Apple.....

    As I have realized from people on this site, there is no need for a security guru like this because he will be nothing more than a body to fill a seat at the company. Apple OSX is secure by design and cannot, and I repeat cannot be attacked in anyway other than social engineering.

    Makes you wonder why they would go out of their way to hire this guy for something they obviously do not need. Thats a weird move Apple? I hope they can explain it to all of us.
    • Could it be that Apple likes to change the game?

      As Harry mentions everyone benefits from Apple's crazy ideas...even if
      you hate Apple and never use any of their products, you will benefit by
      what they do. No one else seems to be willing to step outside the lines
      an do something different which leaves the competition scrambling to
      catch on and catch up.

      Right now the security issue is a quagmire and has nowhere else to
      go. It's going to take something other than continually building new
      barriers. The idea of security needs to evolve and it is Apple that
      willing to get that started.

      This is not a weird move and if you get Apple at all you would
      understand that it is a patented Apple move.

      Apple doesn't want to be the biggest computer company in the world.
      It doesn't want to create the richest man in the world. Apple just
      wants to be the best at what it does. This may be understating it.
      Better, Apple wants to make people happy.
      • Apple just invented chroot!!

        [i]As Harry mentions everyone benefits from Apple's crazy ideas[/i]

        Wow, Apple just invented chroot! Oh, and BufferZone ( But of course, this doesn't come as a surprise to any of us. We've witnessed Apple get credit for inventing lots of things that we've been using for 5 years now.

        [i]Apple just wants to be the best at what it does.[/i]

        And Apple is the best at what it does: branding stuff that has been around for years, jacking up the price, and selling it to kool-aid drinkers just like you! [b]Nobody[/b] does that better than Apple! :)
        • How about 10 years? See this :

          They are now trying to patent something people on that site (which is number one in this field (i.e. silent/dead-silent computers) have been doing for the last 10 years. Patetic.
          At least that way maybe they will learn how to make a silent Mac Pro and get rid of the stupid hardmounting for the hard drives (the Mac Pro is actually silent when it comes to fans (they spin at around 500-800 rpm) but the harddrives are hardmounted to the case and make noise.
        • Better Mouse Trap

          Haven't you heard of this concept Einstein? Why do care anyway, you are
          not a Mac user.

          As for Kool-Aid (asinine term by the's up there with the term
          fanboy which also seems to be used by the same types as you) I have
          probably been using multiple platforms professionally for longer than
          you have been able to use the potty. So I think I have earned the right to
          draw valid conclusions based on real experience. What vast experience
          do you have to draw on to support your wiseass claptrap?

        • Innovation, stupid. Not invention. Please get it right. [nt]

        • @NonZealot

          "And Apple is the best at what it does: branding stuff that has been around for years, jacking up the price, and selling it to kool-aid drinkers just like you! Nobody does that better than Apple!"

          Yep, your right, nobody does it better than Apple, at least until you include Microsoft in the equation, then Apple loses that top spot to Microsoft. How's that MS kool-aid taste NZ?
        • Hilariousness

          NonZealot, you've got to stop being a non-thinker if you're going to
          reply around here. Too many intelligent people hang out at ZDNet to
          accept boring old mythology FUD as fact. We're more likely to laugh at
          such rubbish than to buy, swallow and gag on it. :-P

          Literacy level low, or just plain stupid?
    • Well, except...

      the fact that you can brick an intel mac (I mean you have to replace the "logic board" aka mother board to fix it) by typing a single line at a shell prompt with administrator rights. But that's not really a security problem. Is it?
      • If this is possible, an admin would do this because why?

        A) I'm curious as to the method. Just interested.

        B) Why would someone with Admin permissions brick their Mac?

        C) Any Mac admin that allowed someone to discover or change the
        admin password gets what they deserve. Password protect the firmware
        and nobody but the source admin get in.

        D) How come Windows still requires BIOS firmware? Antiquated much?!
      • FUD?!?!

        WHAT?!? You are new to computers, aren't you. Man, you shills are
        getting worse.
  • You don't understand security, do you?

    Oh, I admit that if you can trick a person into using Safari, and clicking on a link, you can take over a Mac. That however is the only way you can do it.

    Windows on the other hand has so many holes, that can be attacked in so many ways, it's incredible. Even Vista, which Microsoft put a lot of work into, has had problems. Windows was never designed to be secure. OSX was. This is a huge difference.

    And Apple is moving forward to making OSX even more secure, which is great. What's Microsoft doing? They are putting lipstick on Vista, and calling it Windows 7.

    Microsoft's attitude seems to be: "Security? What me worry?"
    The Mad Hatter
    • What was that again?

      Get off your emotional fact ride and go check the stats for Vista and Server 2008 compared to OSX. Vista is a different beast so realize that. I use and manage many Vista systems and have no issues. Microsoft does very well with security so understand that as well. You want the stats I will provide......

      Most Vulnerable Operating Systems
      X-Force tracks vulnerabilities by platform and has produced metrics this year to show the operating systems with the most disclosed vulnerabilities. The following chart shows the operating systems with the most vulnerabilities documented in 2008. The top ten operating systems account for nearly 75% of all vulnerability disclosures affecting operating systems.

      Operating System Percentage
      Apple Mac OS X Server 14.3%
      Apple Mac OS X 14.3%
      Linux Kernel 10.9%
      Sun Solaris 7.3%
      Microsoft Windows XP 5.5%
      Microsoft Windows 2003 Server 5.2%
      Microsoft Windows Vista 5.1%
      Microsoft Windows 2000 4.8%
      Microsoft Windows 2008 4.1%
      IBM AIX 3.7%
      Others 24.9%

      • Ignorance is Bliss in Windows World

        The percentage chart you provided shows one thing: What operating
        systems are most scrutinized for security flaws.

        That puts Microsoft Windows in the basement as one of the least

        Meanwhile, let's examine what operating systems have had the fewest
        number of successful security attacks. They are, in order:

        Mac OS X

        This is no coincidence since both OpenBSD and FreeBSD are integrated
        into Mac OS X.

        How many active malware are there for Mac OS X at this moment?
        Eleven. All of them are Trojan horses. All of them require user error in
        order for them to be installed, aka Social Engineering. There are no
        viruses for Mac OS X, no worms, no illegal spyware/adware. There is
        no 'security by obscurity' for Mac OS X. There is instead fundamental
        security. There is also no such thing as perfect security, including for
        Mac OS X. But there is such a thing as poor security and Windows is it.
        How many active malware are there for Windows? I lost count after

        Vista was an improvement. Vista SP3, aka Windows 7, is likely to be a
        further improvement. I sincerely hope so. About bloody time.
        • This flaw isn't even fixed in Windows 7.


          [i]Microsoft has failed to remove a long-recognised Windows Explorer security risk from Windows 7, according to security company F-Secure.

          The 'hide extensions' feature, which was present in Windows NT, 2000, XP and Vista, is included in the Windows 7 release candidate, F-Secure's chief research officer, Mikko Hypp?nen, said. The feature could allow virus writers to trick users into opening and running malicious files, he added.

          "In Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types," Hypp?nen wrote in a blog post on Tuesday. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."

          For example, malicious code writers could name a 'virus.exe' file as 'virus.txt.exe' or 'virus.jpg.exe', he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see 'virus.txt' or 'virus.jpg'. Additionally, virus writers would change the icon displayed with the file in Windows Explorer so it looked like the icon of a text file or an image. Users might then click on the disguised file.

          The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers on 30 April.

          Microsoft had not responded to a request for comment at the time of writing.[/i]
  • RE: Apple snags Ex-OLPC security chief

    Maybe this links with getting Hypervisor Type I (or II)?Windows on Mac needs it