• MorphOS Developer
    Posts: 580 from 2003/2/24
    From: finland, the l...

    amigadave wrote:
    I know that MorphOS is not a secure operating system, except that it is less likely to get attacked simply because of its obscurity (not worth the hackers time and effort for such low number of users), but is there any additional security features built into Iris and/or Wayfarer?

    Since I work as a security consultant as a trade this kind of falls under my domain. I'll try to keep this as non-technical as possible.

    1. WebKit (and Wayfarer) attempt to be as secure as they can be. The code has been written in a way that tries to minimize the possibility of exploitable flaws.

    2. On top of the security features of WebKit (and Wayfarer), browsers typically rely on the operating system isolating different processes from each other. This is fairly standard thing to have. Windows, Mac OS, Linux, Android, iOS, BSD variants etc have it. We don't.

    3. Often there are also several different security levels (or domains), starting from very high privilege system users and ending up on low-privileged regular user. Most users should be using these low-privilege user accounts for their browsing to limit damage that could happen if the browser is compromised. On MorphOS you're always a high privilege system user.

    4. Modern browsers use also so called "sandboxing": The web page rendering and scripting are isolated from the other - more critical - parts of the browser. If some exploit can be found from the rendering or JavaScript engine the exploit will only gain access to very restricted environment within the sandbox (and the attacker doesn't gain access user's files for example). We don't have this feature either.


    Is it unlikely that a virus, or other malware intended for Windows/Linux/MacOSX users will have any effect on MorphOS systems? (probably a noob question, but I'm feeling particularly stupid today)

    We're indeed saved by the obscurity. None of the typical exploits written targeting the more prominent platforms will work. That doesn't mean it would somehow be impossible to target MorphOS, however, far from it. In fact, it would be far easier to write exploits that target MorphOS vs pretty much any other platform out there. However, again, we're so insignificant it's highly unlikely to ever happen.


    For reference, I had considered setting up one MacOSX system, for the express purpose of doing all of my email correspondence on it, in hopes that it would protect my Windows system from becoming infected if I limited it just for other tasks, and never opened another email on it in the future. Is this unrealistic?

    Rather than trying to avoid certain operating systems, the most important trick is to keep your system up to date with security updates: Both Operating System and the applications you use. Enable automatic updates, if such feature is available. On windows I'd recommend using PatchMyPC or similar tool aiding to keep applications up to date.

    Second tip is to use common sense. If you get an email with that promises you millions or lets you know of a package arriving via DHL or UPS (and you didn't order anyway) don't open the attachment or follow the links in this email. If you get a supposed email from your bank, your favourite social media, netflix, spotify or similar, always log in to your account via the browser by entering the site yourself. Do not follow any of the links provided in the email messages.

    If you follow these tips you will be just fine, regardless of the platform you use.
  • »28.10.20 - 20:48