Matasano Chargen - Latest Comments in Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Tim — Thu, 03 Apr 2008 17:44:36 -0000

I find most of these post very very funny. Denial in not a river in Eygpt. If you ready the articals I read published in Tech Republic. You would know that the rules were relaxed as each day went by. Mac was pwnd on the 2nd day. The 3rd days Vista was pwnd, but not until a third party app was installed. Now I not say that any OS is more secure than any other. But why would I create hacks for an OS that only about 5% of the market have. It would be a waste of time. 95% of the market (Windows) would hurt more. So to all those MAC zionists, you are as secure as MAC wants to to believe.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

DG — Sat, 12 May 2007 19:30:32 -0000

Despite this all being fixed and presumably updated now, I'm a little concerned. The advice to turn of Java in Safari (and elsewhere) was reasonable, and I followed it. In fact after applying Apple's fix, I still didn't enable Java. I'd rather notice that a site needs it and isn't working and make my decision at that point.

Except...

I just browsed to a Java applet which worked in Safari even though my Java was disabled. WFT?

http://morph.cs.st-andrews.ac.uk/Transformer/

It seems that most Java applets I tried were correctly disabled, so unfortunately I'm having trouble locating a better example (i.e. one where you don't have to upload an image to get to the applet).

Anyway, disabling plug-ins does prevent this one from running, and there I was thinking Thomas was just being extra paranoid with the image of his settings. Ouch :(

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Snagg — Wed, 02 May 2007 06:50:18 -0000

No, you're right.Also after checking better this bug isn't actually fixed, it continues to crash.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Tue, 01 May 2007 20:56:38 -0000

Did your bug involve using QTHandle::toQTPointer to craft a pointer into the heap? If not, you didn't find the same bug.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Snagg — Tue, 01 May 2007 20:37:17 -0000

After installing the new patch from Apple, I must say that either that patch fixed also the bug I was talking about in my previous comment or it was the same of Dino.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

David Schor — Tue, 01 May 2007 17:10:32 -0000

QuickTime 7.1.6 was released today, and apparently the problem has been fixed. Kudos to Apple.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

CompX — Tue, 01 May 2007 10:11:48 -0000

This is a sad day for the Mac community. I'd hoped I'd never see this day in my lifetime. Whoever hacked that beautiful Mac computer has to pay. And be banned from this forum and from MacRumors and MacNN too. This is war IMO.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Rolf — Mon, 30 Apr 2007 20:28:57 -0000

David Schor: I rather suspect I know what the vulnerability is. If so then yes, PPC Macs are also affected. It probably also affects Mac OS 9 :-)

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Fri, 27 Apr 2007 15:48:00 -0000

generic mac user: Yes, I think the verdict among the security community is in, and it's that market share is the primary defensive measure OSX has right now.

There is nothing wrong with this. People move to the suburbs all the time to get away from crime. That's the "safety and convenience" approach. The "security" approach is, "build a panic room and hire a bodyguard". For desktop computers, that kinda sucks. This is the gist of what Mossberg keeps saying in the WSJ.

Us security people tend to care about the "security" approach, though, because it defines what attacks against our clients are VIABLE, as opposed to LIKELY.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Fri, 27 Apr 2007 15:44:40 -0000

Nobody has confirmed or denied this. Either outcome is equally plausible.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

David Schor — Fri, 27 Apr 2007 15:42:18 -0000

I've been buzzing the web for a week trying to find out of this vulnerability affects ppc (powerpc) macs. Any news? Does anybody even care? Is security by obscurity still my best bet?

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

generic mac user — Fri, 27 Apr 2007 13:56:02 -0000

Thanks for being straight -- I guess because no one tries to dog fight in your neighborhood, there aren't any arrests?

To be a hacker, or to write viruses on the mac, would you have to own one so you could test it and find vulnerabilities and stuff? Maybe that's why macs are safer because hackers don't want to buy a mac just to hack it. Reward doesn't justify the price.

I'd also imagine that a windows virus could propagate itself a lot better than a mac one because of the sheer number of installed copies of windows compared to Mac OS X.

I'm still kind of surprized that there haven't been any widely reported clientside exploits on macs. If vulnerabilities are truely easier to find in mac, and if mac users surf the web like windows users, and if there exists even a few hackers who want the glory of putting the first mac exploit on the web, what causes the mac to still be safe.

So I guess I want to know, is apple's low marketshare the only thing that protects it? If OSX Tiger had the same amount of users and the same amount of money spent on security, everything equal, which platform would be more secure?
Thanks.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Fri, 27 Apr 2007 01:25:36 -0000

JoeL: Dino does NOT agree with you that Macs are more secure than Windows. I guess I can wait for him to say that, but I think it's safe to take my word for it. Like Dave and I, he probably does buy that Macs are safer.

As for "also note that Jim Schmidt struck a reasonable and mature tone in the discussion about the notion of attackers on both sides being engaged in a polarized “circle jerk”": best quote ever. Well played, sir!

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Fri, 27 Apr 2007 01:15:03 -0000

It's harder to discover a new Win32 vulnerability. There's tens of millions of dollars spent hunting down the few remaining Windows vulnerabilities and nothing comparable on the Mac side.

Macs are safe for the same reason my house in Oak Park is safe and insecure, while my apartment on Racine was unsafe but quite secure. Here's an EXCELLENT example:

http://www.chicagocrime.org/

Now, generic mac user, I'd like you to tell me: why aren't there more dog fighting arrests in my neighborhood? There are no anti-dog-fight measures that I know of in Oak Park.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

generic mac user — Thu, 26 Apr 2007 21:18:43 -0000

Please just answer these questions. Or say why you're avoiding them. Or preferably, both. I'm curious.
Is it harder to discover a new exploit in windows or in mac?
Why are macs so safe if they aren't secure? You hear about occasional crimes happening in the suburbs, but you never hear about instances of malware affecting macs.

A straight answer would really help me understand the security of my computer better. If there's no clear answer, just say so, or guess, or something. : )

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

joeldm — Thu, 26 Apr 2007 20:28:22 -0000

Dai Zovi:

“Apple has made some sound design decisions in Mac OS X, such as minimizing the number of default open network services, using non-executable writable memory segments and employing a well designed administrative user authorization system, that are also good security measures.”

You, uh, know this guy, right?

If you were to look at the thread of my posts they are essentially (with some frills around the edges) the same as his comment: that Apple made sound security decisions in their design of OS X. Not least of which is that it is built on a foundation of Open Source Unix while Windows is entirely proprietary and secretive.

BTW, your response is so vague as to be interpreted in almost any way, so it's impossible to know what you're referring to exactly. Plausible deniability!

My question put to your group of somewhat supercilious and dismissive posters might have easily been answered by Mr Zovi's comment as quoted above.

BTW, do you agree with this guy or is he another "zealot?"

I also note that Jim Schmidt struck a reasonable and mature tone in the discussion about the notion of attackers on both sides being engaged in a polarized "circle jerk" only to be attacked personally and unnecessarily by Thomas Ptacek (proving his point). Clearly, maturity has nothing whatsoever to do with security work.

JoeL

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Thu, 26 Apr 2007 13:33:04 -0000

Joel, I'd like you to find anyone, in this whole big crazy wide world of ours, who (a) works professionally in security and has published --- in any security venue: advisories, papers, refereed journal articles, and the like; and (b) agrees with any of these points.

Just one person.

I will be more than happy to reciprocate.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

joeldm — Thu, 26 Apr 2007 13:13:29 -0000

Facts seem to be plastic things around here. I keep asking the same question, you keep answering the one I didn't ask. Afraid to I guess. It's like watching an old rerun of Crossfire.

Does OS X have vulnerabilities? Sure. Has OS X been widely compromised a la Windows? No. Name one compromise that has been widespread and has done damage. Can we say the same for Windows? No we can't. Windows exploits are legendary and widespread and ongoing. There are over 22 million OS X installs in the US. This isn't a small target. And BTW, the test was for a desktop system, so whining that OS X Server isn't installed widely is kind of lame.

It's interesting to me that this conference didn't set up three computers for the test, one Windows running Vista, once Mac running Tiger and one Linux (pick your distro). But as Microsoft is a sponsor I guess that just wasn't in the cards. From a Mac-watcher's POV this is all too familiar FUD.

No computer is completely secure, but to suggest that Windows security and Mac security are somehow equal given their architectures is a whole new level of naivete. It's hard to imagine what mental gymnastics are required to arrive at this self-congratulatory circle jerk . . . but it's fun to watch!

The fact is, both Macs survived ethernet and wireless access attacks. No one was able to commandeer either machine under the original rules. On the second day, regardless of your making fun of the phrase, the rules _were_ relaxed and hackers were allowed to put code on a wiki & do drive-bys using Safari.

What we learned is that Safari has a flaw, nothing more. So does Firefox and so does the PC version and IE? Well, you tell me. And refresh my memory, even with the "relaxed" rules, the second MacBook was never compromised, correct? Maybe next time you could sit at the keyboard with root access open. Or maybe they should just have installed Vista using BootCamp.

It's been fun(ny) . . . .

JoeL

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Mike — Wed, 25 Apr 2007 12:56:56 -0000

Sounds like ManBearPig logic. The only facts that count are the ones that the Zealots want to count. Same crowd I guess.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Tue, 24 Apr 2007 15:21:42 -0000

Nice trying to move the goalposts, though. Sorry, we'll only "relax the rules" once.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Matt — Tue, 24 Apr 2007 15:20:30 -0000

joeldm:

No, I actually read the whole thread. Compromised is compromised. Weak passwords are one of the lowest of the low-hanging fruit; why bother spending time and/or money weaponizing a "real" vulnerability when you can just write a loop around ssh and /usr/dict/words?

My point (if any) is that saying "No Mac has never been pwned in the wild" is prima facie incorrect; if that's what you were trying to say earlier, I think you actually meant, "I don't have any evidence of a Mac being pwned in the wild by a remote vuln in Apple software" (because I assume you're going to discount vulns in, say, Apache).

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Tue, 24 Apr 2007 15:18:46 -0000

U of F isn't an enterprise and you just counted their customers as employees.

Please cite a source saying Cox uses Mac *servers*. Any enterprise with "creatives" in-house will use Mac desktops, but attackers aren't motivated by zero-day TIFFs.

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

joeldm — Tue, 24 Apr 2007 15:17:10 -0000

Cox newspapers uses Mac servers and desktop Macs for at least 50% of their publishing enterprises, 17 dailies and 26 non-dailies nationwide. Cox Enterprises has 77,000

The AJC recently ran an article about how much the switch has saved them and their major advertising vendor, DTI, which does business with nearly every newspaper in the US reported that "“Our clients were primarily Macintosh users”

Cox Communications uses more than Mac's servers or course, Final Cut Pro Non-Linear Edit Suites are common across the entire company and who can say how much penetration Macs have in other areas of this media company? Fortune 500 baby!

I also remember that U of F also runs OS X servers and desktops, that's 50,000 students and professors.

But is this going to be a pissing contest now? I thought someone, anyone would step up and answer my question. No one has. Now why would that be? No guts, no glory!

Why is OS X so much more secure than Windows? I know you guys know, you're just too . . . err . . . timid to admit it.

And really, a link to some obscure discussion about a bot that turns out NOT to be a Mac bot? Really, that's pathetic. Step up or step off wimps . . . .

nyuk, nyuk,

JoeL

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek — Tue, 24 Apr 2007 14:34:31 -0000

And?

Re: Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

joeldm — Tue, 24 Apr 2007 14:21:14 -0000

Matt,

"Just to add a little fuel to the fire, here’s the start of a mailing list thread with some anecdotal discussion of Macs getting compromised:
http://lists.apple.com/archives/macos-x-server/... "

You didn't read down far enough:
http://lists.apple.com/archives/macos-x-server/...

They used a compromised user account, not a bot.

JoeL