-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
While I agree many Mac users should be more serious about security, it's still not time to say MacOS X and Windows are on equal footing - not by a long shot.
"Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference."
Nice to see that any time a Mac OS vulnerability is discovered it makes the news. There's so few of those! With windows it's so common...
This said, of course Macs are vulnerable. What isn't?
One of the reasons, as pointed out in the article, is that there's a Mac for every gazillion windows pc, so exploits for Macs are more for sports than money. To me it's a great reason to be Mac. Sorry Steve: sell all the iPods you want, just don't advertise Macs too much. 3 or 5% market share is enough.
Still under the tone of presumption, what year is Apple going to adopt heap protection? Maybe the media will cover it (again) that Vista continues to be more secure. Oh well you have to spend time working on securing an OS to secure an OS -- we aren't growing sea monkeys
Oh wait, that's Bill Gates, nevermind.
"I bet it depends on third party software."
"Another faux disclosure!!! Where's the proof? Where's the code?"
"That would never happen to me."
Dino: wow on the mind-blowing acceleration from-standstill-to-pwnership. Congrats on the bounty. Buy me a ponie?
Yet.
Congrats to Dino on his quick execution. I guess we've established an OSX clientside is worth somewhere between $3K and $10K. And OSX remote is worth somewhere > $10K. With binary search and enough datapoints, we can have our own vuln futures market.
Drink if you read:
- Snobby comment about Mac superiority.
- Snarky comment about Windows.
- Snarky comment about Macs or Apple.
- Snobby comment about Windows superiority based on the idea that because lots more people use Windows it is better.
- Snarky comment about Gates being nerdy or rich.
- Snarky comment about Jobs being arrogant or controlling.
Chug if you read:
-Snarky comment about both Windows and Macs in one post.
-Half-hearted attempt at snobby comment about Linux or Unix superiority.
-Attempt at argument that Mac OS is superior because it is built on Unix.
-Attempt at argument that Windows has superior security because it gets lots of viruses and exploits.
-Post with link to a website that remotely escalates account privileges.
-Rationalization that a prize winning, Zero day exploit on OS X means that OS X is less secure than any other OS.
Time to create an exploit for a stock Mac via a malicious website: 9 hours.
Time to exploit a stock XP machine via LAN, malicious site, email payload, macro virus, GIF trojan, Messenger hack, IE quirk: how fast is your stopwatch?"
Congratulations to Dino on the $10K reward. May it go towards the purchase of an Octocore Mac Pro, to reduce compile times for the next demonstration of his coding prowess.
/crosses fingers.
Anyone know if it affects both Intel and PPC?
Also, why'd they have to lower the bar? The original "contest" was accessing a Mac remotely without getting the Mac to do anything special. Then it was changed to autoloading a specific URL? Was Safari automatically relaunched if it crashed?
I don't know anything about the "original" rules vs. the "current" rules, but note that the worst Microsoft problems are also clientside vulnerabilities in the core user applications.
As for "original" versus "current" you can see the changes here http://cansecwest.com/index.html
Notice on 4/20 the attack surface was increased. Also, there's another Mac that's still open in the contest. The same exploit cannot be used twice. The new one requires you also become root.
Sorry but if you have to "lower" your barriers, than that's not a true deal. Sort of like having a hockey goalie play without pads and a glove because he stopped every shot otherwise. Why would CanWest do this on only the second day too? Load of junk!
Clientside vulnerabilities are common attack vectors against windows systems as well. What you call "lowering the barriers", I would call "normal use cases for a Mac".
"let's see it work in the wild first"
obligatory: duuuude, i wonder if he totally pwned it at 4:20 on 4/20..
Sorry Dave G. but having to change the rules enough to allow a contestant to try another means of gaining access via Safari does not constitute normal use cases for a Mac. However I am glad that a possible flaw has been identified eventhough this flaw in all likelihood will not effect other Mac owners outside of CanSecWest and the winner(s).
Remember CanSecWest set a competition and no one likes an unwinnable competition where no one wins. By raising the award to $10,000 the organisers had to relax the rules somewhere.
There is one more MacBook Pro to go and the same method cannot be used again, plus root access has to be made in order to win this one. Should this be successful and I doubt it will be as long as the organisers don't relax their rules, this is the one to watch and see what happens.
I put it to you all here what would it be like if the same set of rules for a competition was applied to a Windows laptop, say a Sony Vaio? Would the organiser of that have to relax the rules? I know that Microsoft ran a similar contest for Vista and somehow the details of that disappeared - I wonder why?
Also, given that no OS is invulnerable to exploitation, why was the attempted remote hack unsuccessful? Drive by exploits in Windows have been dime-a-dozen....
http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07...
I'dd like to find out how i can use these nightly build Webkits in my Safari & other Webkit based Browsers/RSSreaders
Do we still require the http://groups.google.com/group/moabfixes if we use the latest Mac OS & all security updates ? And why doesn't these get included in Paranoid Android, the security Ape you crated & later open sourced 5 so Landon hasn't got an excuse to get involved & make this happen)
To anyone who can answer this one :
Does this hack, which is javascript if i'm correct, needs admin rights ?
In other words; if the user who browses to the hacked website has no admin rights & the user doesnt provide a admin user name & password can this hack do his work?
Thanks for playing the drinking game though.
Chug chug chug.
See
http://lists.immunitysec.com/pipermail/dailydav...
and
http://www.securityfocus.com/archive/142/464216...
which were both posted long before the contest started.
Btw, is k2 covering the capital gains taxes? Inquiring minds want to know!
Nectar: Anything left over from spending it on an octocore mac pro goes toward your pony :).
Other drinking game speculators: With any 0day bug, there is a ton of conflicting information in what it is in and what is affected. I obviously don't want to say too much so as to hint as to where the bug is until a patch is released. I will say that applying slightly paranoid web browser configuration changes will prevent this vulnerability from being exploited.
And no, I have not been sitting on this exploit, I really did find the vulnerability and write the exploit that night. I got lucky :). I have spent way more time not finding bugs many other times.
You said remote exploits. The "dime a dozen" exploits are exploiting client-side vulnerabilities you try to poo-poo.
Common misconception is that browser attacks are only social engineering or PEBCAK issues. There have been multiple cases where popular websites were hacked and an attacker modified the website to serve up some clientside zeroday.
"Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.
"In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being “able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.” That part was simply wrong.
"Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."
More info under a series of subheadings:
Gohring's Mac Security Myths
Microsoft’s Security Embarrassment
Mac OS X and Security
The Mac Minority Malware Myth
Why Macs Aren’t Sending You Spam
Agreed...ActiveX enabled sites come to mind on the Windows side. Re the Mac Safari exploit, I'm curious what specifically needs patching on Safari that isn't necessary for Firefox, Camino, OmniWeb, etc. (assuming that they are not similarly vulnerable).
And they're still wrong, either way.
On a side note, those complaining about "mac zealots" seem to be very anti-mac zealots, so it just becomes a perpetual circle-jerk between the two camps. If I could filter out all the moronic MS, Linux, *nix, OS X posts' and just read level headed articles I would. But that will never happen when the people reporting continue to sensationalize.
Congrat's on the 10K, btw!
I'd just like people to realise that their safety or lack of safety is down to hard work by security researchers, OS designers and *themselves* on one side vs. black hats and script kiddies on the other side. Not magic, or how nice the CEO of the company smiles at the camera.
“Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference.”"
I just wanted to note that the reason Gruber brings this up is that he has made it very clear in previous articles that he believes "Open 'Safe' Files" should be turned off by default. Every new exploit found which makes use of this preference is another point in favor of getting that preference turned off by default.
Mac users want Macs to be secure, too.
If Dino really did discover this flaw on-the-fly as claimed that's very impressive. Congratulations.
Maybe it'll be another point in favor of getting rid of Java. ;)
If you guys count LMH and the users themselves on the same side, I think LMH didn't get that memo.
Oh wait. That's (close to) Apple's actual strategy.
I think, in this once instance, that I speak for the community as a whole when I say: it's not the Mac we don't like. It's you.
This is an example of the exact behavior that is uncalled for. Direct personal attacks. I believe the behavior of "zealotry" on either side is abhorrent, but this isn't going to make me "hate" a person. My goodness man, that is such a childish reaction.
Did I strike some nerve with you? Remember the old saying, if the shoe fits....
No it would be an OPEN SOURCE vulnerability and therefore it'd go for free.
zealotry, superior, inferior, "calling names", hate, behavior, "personal attacks", abhorrent, childish, nerve, zealots, "inaccurate", complaining, "perpetual circle-jerk", moronic, sensationalize.
Now, in fairness, the worst of my response to you:
"None of us like you."
However, one of the problems with the reporting of this exploit is the insinuation that the motvating factor is to shove pie in the face of all those Mac zealots who brag that OSX is invincible. In my opinion, this contest would be a hell of a lot more interesting if the winner had hacked a lappie configured the way that a growing number of broadband users would: ie., OSX firewall enabled; stealth mode enabled; running behind a router with SPI enabled, etc.
Yeah, I turned off Javascript too, but I did that because there's always a risk that Dino will whip out a Javascript variant just to make me look dumb. But there's no specific reason to do that right now.
The reason I made mention of Gruber's comment vis-a-vis 'open safe files' is that I seriously doubt that ZDI would pay $10k for an exploit that depends upon that.
@Brian R:
I fail to see how your suggestions of "OSX firewall enabled; stealth mode enabled; running behind a router with SPI enabled, etc." would matter.
A host-based firewall would let any web content in, as it's been requested by a user behind the firewall. Stealth mode has no effect because again, the attack is a clientside bug in Safari. A router inspecting packets will only be able to detect attacks that it has configured in its filters, which may not detect a 0day attack.
You can get the webkit nightlies from WebKit.org.
As the days go on, this is looking more like a plugin problem if FireFox has the same issue.
Thomas, I assume that Dino did the responsible thing and immediately reported the bug to Apple's security team or immediately reported it to the security component in their bug reporter?
I'm simply going to delete comments that try to turn this into the Maynor game. There is zero question that Dino's exploit works, and, because of the manner it's been disclosed, virtually no chance that Apple isn't going to acknowledge it.
The only person that made it personal was you. I find this illuminating. Taking what words I use and just listing them out of context is a cute way to attempt to make it seem that I'm name calling, but if you go back to either of my posts I have not done so. I'm sorry if you felt I was calling you childish, I was not, just your response.
Further, don't you think it is a bit presumptious to speak for "everyone" or did I miss something and you are God?
I apologize if any of my words, none of which were ever directed at you, hurt you. I'm sorry that they cut so close to the bone that you felt a need to respond in such a hateful manner.
Do you have anything technical to contribute? I just posted a challenge. Take a crack at it! Maybe it'll take your mind off of how fed up you obviously are with security professionals.
http://www.matasano.com/log/809/a-little-challe...
To help alleviate some of the questions about the disclosure of this vulnerability, and details surrounding it-
Dino has submitted the details of the vulnerability he used to the Zero Day Initiative program. We will independently verify the issue (as quickly as possible) and then formally contract the vulnerability and award the bounty to Dino.
As soon as the issue is verified, we will immediately disclose the vulnerability to Apple (and Mozilla since Firefox has found to be vulnerable as well).
At that time, we'll post the issue on our upcoming advisories page: http://www.zerodayinitiative.com/upcoming_advis...
So everyone can track it until Apple resolves it.
As per the ZDI disclosure policy, details of the vulnerability will not be discussed in depth until the respective vendors have a chance to get updates out.
There are individual Microsoft Windows bugs that have cost billions of dollars. The singularly low quality of Microsoft software is the elephant in the room in tech today. Anyone defending Microsoft on a technical level has to be immediately suspect because they are so far out of date that my next phone is going to have both a better core OS and better Web engine than Microsoft Windows Vista. It isn't just Microsoft's illegal business practices that are the problem there is also the massive quality problem.
11 com.apple.Foundation 0x92bc9a00 _NSBundleLoadCode + 820
12 com.apple.Foundation 0x92bc91e0 -[NSBundle load] + 308
13 com.apple.Foundation 0x92bc9094 -[NSBundle principalClass] + 44
14 com.apple.WebKit 0x95be1690 -[WebPluginPackage load] + 60
And then He has some serious problems with images mapping:
1 libobjc.A.dylib 0x90a45d4c flush_caches + 220
2 libobjc.A.dylib 0x90a3fb7c _objc_read_categories_from_image + 136
3 libobjc.A.dylib 0x90a3d260 map_images + 656
4 dyld 0x8fe0f590 ImageLoaderMachO::doNotification(dyld_image_mode, unsigned, dyld_image_info const*) + 108
5 dyld 0x8fe035c4 dyld::notifyAdding(std::vector >&) + 260
6 dyld 0x8fe0dc34 ImageLoader::link(ImageLoader::LinkContext const&, ImageLoader::BindingLaziness, ImageLoader::InitializerRunning,
I cannot say wheter the bug discovered by Dino was this or not, but to me it sounds like..
Thanks for that post. Can you disclose whether Dino's reported vulnerability affects browsers beyond Safari and Firefox: ie., Camino, Opera and OmniWeb?
I have nothing against computer security professionals, real ones. A true professional does not would not make generalized statements or take words out of context in an attempt to make themselves look good.
You do not appear very professional Mr. Ptacek as you have assigned things to me that I have never said and taken things I have said out of context.
I'll post a challenge for you Mr. Ptacek, can you make a post without cut and paste? Can you find where I said I am fed up security professionals? I'm not by the way but if you can find the post cool! But you prefer to right things in the hopes people will read it and if enough people read it maybe it will become fact.
What are you going to accuse me of next Mr. Ptacek?
Hypothetical straw-man Mac person: if I could send you back through time so you could catch up to security research circa this decade, really and for true, I'd do it.
You don't really understand how the press works, do you? It's news now. Sorry. You can't insist on attribution any more.
http://www.matasano.com/log/434/ignore-igor-mut...
Ah, I didn't realise that was a prerequisite. Sorry, I'm a Mac user, not a right-wing nutjob (well, maybe the nutjob bit is accurate).
If the issue is in Java, why would you bother to contact Mozilla? Does Firefox ship with its own JVM now?
thanks for the matasano site. Was unknown to me. Great resources.
One question though, the very same engineer who developed the exploit on Dino's finding said that because in real life people will be behind a router this exploit will not be capable of a full remote exploit. Could you elaborate on this?
Well if it's Java then yes . . . (watch Jobs get rid of Java from OS X as well as the iPhone - 'I told you it was a goddamn ball and chain).
I like the fact Firefox is affected too, because it makes a lot of people look dumb for thinking that makes them better/safer and mouthing off before knowing the facts.
Also - changing the rules of the contest is completely acceptable as it's been clear - you could see it as a sequence of challenges. Personally I think the fact the second challenge has been achieved gives more credibility to OS X surviving the 'drive-by' phase - it shows it's not just that no one can be bothered, but that it survived.
The problem will come when it hits the mainstream media, or at least cnet, where the story will become confused, or simplified.
Robert C - we just don't know Apple's strategy or what efforts they put in, internally, into security, do we. The fact that MS employ a full time security PR team, and have realised it pays to engage with the security community, tells us nothing about Apple. Just as we don't know how effective any Mac AV software is. Here's our opportunity to find out.
Distribution of vuln : I'd guess mySpace or any other easily hacked site that allows embedded code / mashups, and has an audience likely to have a significant number of Mac users. Or at the very least that's the kind of place you can get somewhere to link somewhere dumb by spamming comments.
Or put up a site of 'Leapoard preview screenshots'.
Thomas, I meant Machauley. He made the comment reported on securityfocus web site:
"This is more realistic," Macaulay said of the exploit. "Everyone is going to be behind a router, so you are not going to have a chance to use a fully remote exploit."
Will then Safari become slower or Apple will be able to post a patch to its own Java VM?
I thought it was a specific Safari issue rather.
Is it obvious to only me that these people are only looking to find a way to make more money?
What a sickening thought that the great programming minds of our world think only of profit and spend their resources scaring grandmothers and other people who just want to use their computers for fun. "Buy our software before it is too late, you wouldn't want to loose those pictures of your grandchildren, would you?"
I don't think anyone ever said MacOs X was invunerable. We all know that there are some few viruses for the Mac because its marketshare is significantly less then MS and the negative effects of writing this code wouldn't be big enough for the people who write such code. Then again, perhaps they aren't into scaring grandmothers, and other people who enjoy using the Mac, unlike their more "ethincal" counterparts that create Anti-virus software :-)
Please, try not to choke when you enjoy your victory meal, we wouldn't want any more negative effects from this silliness....
Dino's time is valuable. Dino has no obligation to Apple. Apple charges him to run Apple software on Apple hardware. Dino pays them money to use Apple gear.
You have never found a vulnerability in Apple code. I am guessing you've never found a vulnerability in anyone's code. I want to understand better why you feel like you can dictate terms to people who do that work. If you'd like a different standard of disclosure --- and I will probably agree with it --- why don't you go find some vulnerabilities of your own?
Long time Mac (and Windows) user, and of late, security guy.
User/Client side exploit is the BIG attack surface in my world these days, so its good to see attention going that way.
But hacked the Mac is and I wonder what this means? Will there, at long last, be one exploit in the wild for the OS X? Will more than one Mac ever be exploited?
Reading all the snarky, snobby FUD above one would think the Mac bird flu was moving across midwest . . . but that isn't the case, is it?
Macs currently ship about 5% of PC marketshare but still have approximately (rounding here) 0% of the exploits. If they are as fragile as the discussion here implies, shouldn't they at least have .0001%?
Explain it to me like I'm 4. Why does it take a convention to hack one Mac (using relaxed rules) and if a PC (and tell me if I'm mischaracterizing this) was configured similarly and placed on the web _anywhere_ it would take less than an hour for exploits to start taking the machine over and making it into a Borg machine?
Am I overstating this? Did the Mac have a firewall turned on? Any antivirus protection? What am I missing here?
Why is difference in the reality of Mac security (zero exploits in the real everyday user world) vs PC security (numerous exploits across the board unless draconian efforts are made to secure a home PC) so stark? Marketshare just doesn't cover it.
Why the difference in the real world? And no BS, please, tell me the real reason why Macs are de facto, so secure.
JoeL
The reason why Macs are, prima facie, *safer* is that they are a less relevant target for attackers.
http://www.matasano.com/log/644/safety-vs-secur...
But Tom, how in the world are you going to get the mac zealots to come visit your web site?
Interesting, you could have chosen to educate or to be smugly juvenile. I might have gone another way. I know why a firewall doesn't help when you choose to navigate to a site with an exploit embedded in it, still, it doesn't explain why Macs are safer overall. I know you know, if you don't then there is very little chance I'll be able to explain it to you.
Your "they are a less relevant target for attackers" is obfuscatory drivel and doesn't really address the issue. Why is there a 5% marketshare of Macs but 0% marketshare of Mac exploits? You know. Jupiter Research in 2005 said that 14% of businesses with 10,000+ employees run OS X Server. I know of companies here in Fatlanta that run OS X Server. If companies run it and Mac users are such braggarts about being so secure (like me, no firewall and I download music randomly and run no antivirus) and if security geeks are holding conferences where they jury-rig some exploit off a 2nd party card that isn't really widely transferable to the real world like many of the most damaging Windows exploits are, then how is it possible that Macs are "less relevant".
Some of these guys are DROOLING to see a virus in the wild for Macs. Drooling! I know I read the comments after these articles and you'd think their city just won the super bowl, world series and their girlfriend is playmate of the month when there is even a _suggestion_ that a Mac is perhaps, maybe, someday, under-the-right-circumstances, "watch-out-it-could-be-you-next", if you just go to THIS website, vulnerable.
They've heard how bad Windows security sucks for so long and what you have to do to lock it down (and my Windows machines ARE locked down, haven't had a virus in some time!) and if Mac were just 1% as sucky, they'd die happy . . . .
Every other day I see an article about Mac security and how poor it is from some company either with a product to sell or a bone to pick, but I NEVER see these exploits spread into the wild like the Windows exploits so commonly do. EVER. Why IS that? There's so much public interest in Mac security literally EVERY DAY that your puerile excuses about how "they are a less relevant target for attackers" just sounds . . . well, silly! Look it up man, plug "Mac vulnerability" into any search engine and check out how "relevant" thousands of people think it is.
Why, have so many PC exploits spread worldwide and caused billions of dollars of damage and yet even when someone finds some potential exploit in the Mac OS, it never does? Yes there are _potential_ exploits found in the OS regularly just like any OS. Yet nothing comes of them.
There is a reason and it's not numbers, babe. You're the expert I'm just a fanboy.
JoeL
I'd like you to name one of the security "geeks" you know that are DROOLING, just DROOLING for an OSX virus. I'll give you a tip, while I'm wallowing in smugness: check our blogroll and comment feeds.
Just name one.
Soooooo . . . your assertion is that all companies over 10,0000 employees are Fortune 500? Wow, I guess our economy isn't as big as I thought! You might want to retool that logic stream there, Frege.
"I’d like you to name one of the security “geeks” you know that are DROOLING, just DROOLING for an OSX virus. I’ll give you a tip, while I’m wallowing in smugness: check our blogroll and comment feeds."
Ahhh! You're seeking a diversion! You want to avoid answering my pesky query so you select an observation I've made about the character of these discussions and want me to prove an unprovable so that you won't have to comment on what my post is really about. Nice. A sort of straw man technique to avoid having to answer my question. The question. Such courage, such panache! What intellectual curiosity!
I don't believe it, but let's _say_ NO Windows security bloggers find Mac assertions of invulnerability galling and wish in their heart of hearts that JUST ONE Mac virus would do generally harmless, but widespread mischief in the Macish world (And Red Sox fans wish the Yankees well . . . .).
So in this utopia of yours, why has the OS X Mac been so secure and Windows (at least until Vista and then we'll see), NOT (see previous note). Your turn. Be honest. It's midnight, you can be honest. I know there are structural difference between Windows and the Mac, differences in approach that go back to almost the birth of Windows and its proprietary codes. Macs were reborn in 2001 Phoenix'd from NeXT. Hatched from Unix.
I swear these discussions crack me up. You guys really live in your own world, don't you. Hacker parties where they try to hack Macs under very controlled circumstances and then chortling with glee:
"In the meantime, a drinking game: predict the rationalizations given by Mac zealots for why this finding “doesn’t count”."
What was it you wanted me to look up again? "Mac Zealots?" There's more . . . but answer my question.
I was watching a news program where one political operative said in during one of those Crossfire moments that "everyone has an agenda". Everyone of course, except the articulator of everyone else's agenda. The camera panned to another veteran newsman and his face said it all, "yeah, everyone but you -- right."
BS is so much easier to spot than exploits.
JoeL
* Wal-Mart
* Exxon
* GM
* Ford
* GE
* Chevron
* Conoco
* Citigroup
* IBM
* AIG
That list might look familiar to you. Sorry.
Just to add a little fuel to the fire, here's the start of a mailing list thread with some anecdotal discussion of Macs getting compromised:
http://lists.apple.com/archives/macos-x-server/...
The bad guys don't need OS or service vulns if you have a weak password or are running some broken PHP.
http://1passwd.com/ ......and comment on their approach to protecting Mac webforms, passwords, Keychain, etc. How readily do you think you can crack their solution, given that the password utilized in setting up 1Passwd is not logged or stored anywhere. Also, look at their approach to defeating keyloggers and phishers...thanks.
http://noscript.net
"Just to add a little fuel to the fire, here’s the start of a mailing list thread with some anecdotal discussion of Macs getting compromised:
http://lists.apple.com/archives/macos-x-server/... "
You didn't read down far enough:
http://lists.apple.com/archives/macos-x-server/...
They used a compromised user account, not a bot.
JoeL
The AJC recently ran an article about how much the switch has saved them and their major advertising vendor, DTI, which does business with nearly every newspaper in the US reported that "“Our clients were primarily Macintosh users”
Cox Communications uses more than Mac's servers or course, Final Cut Pro Non-Linear Edit Suites are common across the entire company and who can say how much penetration Macs have in other areas of this media company? Fortune 500 baby!
I also remember that U of F also runs OS X servers and desktops, that's 50,000 students and professors.
But is this going to be a pissing contest now? I thought someone, anyone would step up and answer my question. No one has. Now why would that be? No guts, no glory!
Why is OS X so much more secure than Windows? I know you guys know, you're just too . . . err . . . timid to admit it.
And really, a link to some obscure discussion about a bot that turns out NOT to be a Mac bot? Really, that's pathetic. Step up or step off wimps . . . .
nyuk, nyuk,
JoeL
Please cite a source saying Cox uses Mac *servers*. Any enterprise with "creatives" in-house will use Mac desktops, but attackers aren't motivated by zero-day TIFFs.
No, I actually read the whole thread. Compromised is compromised. Weak passwords are one of the lowest of the low-hanging fruit; why bother spending time and/or money weaponizing a "real" vulnerability when you can just write a loop around ssh and /usr/dict/words?
My point (if any) is that saying "No Mac has never been pwned in the wild" is prima facie incorrect; if that's what you were trying to say earlier, I think you actually meant, "I don't have any evidence of a Mac being pwned in the wild by a remote vuln in Apple software" (because I assume you're going to discount vulns in, say, Apache).
Does OS X have vulnerabilities? Sure. Has OS X been widely compromised a la Windows? No. Name one compromise that has been widespread and has done damage. Can we say the same for Windows? No we can't. Windows exploits are legendary and widespread and ongoing. There are over 22 million OS X installs in the US. This isn't a small target. And BTW, the test was for a desktop system, so whining that OS X Server isn't installed widely is kind of lame.
It's interesting to me that this conference didn't set up three computers for the test, one Windows running Vista, once Mac running Tiger and one Linux (pick your distro). But as Microsoft is a sponsor I guess that just wasn't in the cards. From a Mac-watcher's POV this is all too familiar FUD.
No computer is completely secure, but to suggest that Windows security and Mac security are somehow equal given their architectures is a whole new level of naivete. It's hard to imagine what mental gymnastics are required to arrive at this self-congratulatory circle jerk . . . but it's fun to watch!
The fact is, both Macs survived ethernet and wireless access attacks. No one was able to commandeer either machine under the original rules. On the second day, regardless of your making fun of the phrase, the rules _were_ relaxed and hackers were allowed to put code on a wiki & do drive-bys using Safari.
What we learned is that Safari has a flaw, nothing more. So does Firefox and so does the PC version and IE? Well, you tell me. And refresh my memory, even with the "relaxed" rules, the second MacBook was never compromised, correct? Maybe next time you could sit at the keyboard with root access open. Or maybe they should just have installed Vista using BootCamp.
It's been fun(ny) . . . .
JoeL
Just one person.
I will be more than happy to reciprocate.
“Apple has made some sound design decisions in Mac OS X, such as minimizing the number of default open network services, using non-executable writable memory segments and employing a well designed administrative user authorization system, that are also good security measures.”
You, uh, know this guy, right?
If you were to look at the thread of my posts they are essentially (with some frills around the edges) the same as his comment: that Apple made sound security decisions in their design of OS X. Not least of which is that it is built on a foundation of Open Source Unix while Windows is entirely proprietary and secretive.
BTW, your response is so vague as to be interpreted in almost any way, so it's impossible to know what you're referring to exactly. Plausible deniability!
My question put to your group of somewhat supercilious and dismissive posters might have easily been answered by Mr Zovi's comment as quoted above.
BTW, do you agree with this guy or is he another "zealot?"
I also note that Jim Schmidt struck a reasonable and mature tone in the discussion about the notion of attackers on both sides being engaged in a polarized "circle jerk" only to be attacked personally and unnecessarily by Thomas Ptacek (proving his point). Clearly, maturity has nothing whatsoever to do with security work.
JoeL
Is it harder to discover a new exploit in windows or in mac?
Why are macs so safe if they aren't secure? You hear about occasional crimes happening in the suburbs, but you never hear about instances of malware affecting macs.
A straight answer would really help me understand the security of my computer better. If there's no clear answer, just say so, or guess, or something. : )
Macs are safe for the same reason my house in Oak Park is safe and insecure, while my apartment on Racine was unsafe but quite secure. Here's an EXCELLENT example:
http://www.chicagocrime.org/
Now, generic mac user, I'd like you to tell me: why aren't there more dog fighting arrests in my neighborhood? There are no anti-dog-fight measures that I know of in Oak Park.
As for "also note that Jim Schmidt struck a reasonable and mature tone in the discussion about the notion of attackers on both sides being engaged in a polarized “circle jerk”": best quote ever. Well played, sir!
To be a hacker, or to write viruses on the mac, would you have to own one so you could test it and find vulnerabilities and stuff? Maybe that's why macs are safer because hackers don't want to buy a mac just to hack it. Reward doesn't justify the price.
I'd also imagine that a windows virus could propagate itself a lot better than a mac one because of the sheer number of installed copies of windows compared to Mac OS X.
I'm still kind of surprized that there haven't been any widely reported clientside exploits on macs. If vulnerabilities are truely easier to find in mac, and if mac users surf the web like windows users, and if there exists even a few hackers who want the glory of putting the first mac exploit on the web, what causes the mac to still be safe.
So I guess I want to know, is apple's low marketshare the only thing that protects it? If OSX Tiger had the same amount of users and the same amount of money spent on security, everything equal, which platform would be more secure?
Thanks.
There is nothing wrong with this. People move to the suburbs all the time to get away from crime. That's the "safety and convenience" approach. The "security" approach is, "build a panic room and hire a bodyguard". For desktop computers, that kinda sucks. This is the gist of what Mossberg keeps saying in the WSJ.
Us security people tend to care about the "security" approach, though, because it defines what attacks against our clients are VIABLE, as opposed to LIKELY.
Except...
I just browsed to a Java applet which worked in Safari even though my Java was disabled. WFT?
http://morph.cs.st-andrews.ac.uk/Transformer/
It seems that most Java applets I tried were correctly disabled, so unfortunately I'm having trouble locating a better example (i.e. one where you don't have to upload an image to get to the applet).
Anyway, disabling plug-ins does prevent this one from running, and there I was thinking Thomas was just being extra paranoid with the image of his settings. Ouch :(