PDA

View Full Version : Apple security - silence then abuse


MacBytes
Oct 6, 2006, 05:05 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Apple security - silence then abuse (http://www.macbytes.com/link.php?sid=20061006180523)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

s10
Oct 6, 2006, 05:22 PM
and sort of cuddly as well

Mord
Oct 6, 2006, 05:23 PM
apple denies they are critical, and just patches the part which could be viewed as insecure on it's own, it's like saying a bank is insecure if their is a thin layer of paper between two massive 1' thick titainium vault doors sure the bank will fill that gap with titainium once they are alerted to it, but it was never a security thread.

every sposed threat has needed a strict set up which isolates the small flaw which would never occur in real life.

CANEHDN
Oct 6, 2006, 05:26 PM
I agree. I'm a Mac fan till death but any one who thinks OS X is perfect and has no security issues is an idiot. Either the holes haven't been found yet or people are just utilizing the holes that are known. I agree that security will become a lot bigger issue in the next 12-18 months, with OS X. It's still a better, more secure OS than XP or Vista is.

plinkoman
Oct 6, 2006, 05:28 PM
so what, apple is only allowed to provide a patch for the most severe problems? they aren't allowed to patch something that isn't a big threat??

what a douche... :cool:

Superdrive
Oct 6, 2006, 06:13 PM
Sure, let's take security advise from Microsoft. Everyone knows there are problems. Apple is much better keeping a lid on things than having everyone say "FIRST APPLE ACKNOWLEDGED EXPLOIT!"

Snowy_River
Oct 6, 2006, 06:18 PM
Well, I'd love to find an email address for this guy so I could offer him some more of what he'd likely find to be "abuse". In case he's reading, I'll post what my letter to him would be:


Dear Mr. McCarthy,

Here we go again, right? Well, I am not one of those Mac zealots who believe that Macs "exist within some holy forcefield of invulnerability", but I do like to keep the record straight.

First, one simple fact, while Mac OS doesn't have "some holy forcefield of invulnerability", they are much more secure than Windows. Some of that is the way the system is built, and some of that comes from the lower profile that the Macs have had, which has lead to fewer mal-ware writers trying their hand at breaking through. Indeed, the various flavors of Linux enjoy a similar level of security, for similar reasons. And, not to put too fine a point on things, it is a selling point, and Apple would be foolish not to use it.

For the record, Apple has never asserted that Mac OS is invulnerable. They have simply pointed out that there are no viruses, worms, spyware, or any other kind of mal-ware "in the wild" that effect the Mac OS. This is simply a true statement.

Now, this lead to certain security "experts" choosing to use the MacBook as a specific target for demonstrating a security flaw that existed for all computers when using certain 3rd party hardware and drivers. While there was some claims that flew around that this same flaw applied to Apple's own hardware and drivers, as well, it seems, based on what I've read, that these claims were false. (Here is a spot that I'm perfectly happy to acknowledge that my information is second hand, and if you have something that is more reliable, please share it...)

Okay, so a month later Apple releases a patch for a similar hole (and the actual 3rd party hole, if I read the description correctly). Why does this make Apple's statement that the "experts" never shared with them any vulnerability of Apple's native drivers/hardware false? Why didn't the "experts" immediately come forward and refute Apple's statement? Is it not possible that the 3rd party vulnerability was shared, and Apple reviewed its own drivers and found a similar, though not identical flaw? (Again, I am simply hypothesizing. I have no information on this, and, from what I can glean from your article, neither do you.)

Now, what about the fact that Mac OS keeps having security flaws found? Of course it has security flaws. Any computer will. Well, maybe a pocket calculator (which, technically, is a simple computer) doesn't. But when does a flaw become something to worry about? When should Apple panic and try to release a patch within 24 hours of the discovery of the flaw? Well, that would be when there are known exploits of the flaw. So it's perfectly acceptable, in my book, for Apple to downplay these flaws.

To date, there have been few, if any, significant exploits "in the wild" for any of Mac OS X's security flaws. And, that's been, what, almost six years since 10.0 was introduced? And how many exploits to security flaws has Windows had to deal with in that time?

In conclusion, I'd like to say that Apple, of course, has had security flaws. But none of them have been exploited in a long time (I do remember the QuickTime Autostart Worm). This nearly spotless record has drawn the ire of more than a few in the Security Analysis world, even to the point that a couple of guys virtually fabricated a problem so they could demonstrate it on a MacBook, and different Security companies have issued immediate doom warnings conveniently located on the same page as a link to buy their security software. And, of course, there will come a day when an exploit will turn up out "in the wild", but we have no idea when that day will come. Tomorrow? Maybe. A year from now? Maybe. Five years from now? It's possible.

In the mean time, I will continue to regard articles such as yours as a Chicken Little "The Sky Is Falling!" type of genre. You've offered no new information, and you've seemed to get some of the old information wrong (though this could simply be a matter of conflict between your sources and mine). I'm sorry if others have felt the need to "abuse" you. I guess, to some extent, that's a risk that you have to live with if you're going to write about a topic in a controversial way.

What do you think, will he read this?

IJ Reilly
Oct 6, 2006, 06:32 PM
Any writer who starts an article with the ancient "Apple faithful" cliche deserves at least some of the abuse he gets. No customer of any company likes to be compared to a member of a religious cult. And besides, this whole idea so 1990s. Give us a break. Get some imagination, or a thesaurus, and give everybody a break.

To the substance, I don't understand his complaint. Both Apple and Microsoft don't like to talk any more than necessary about potential security issues until they're fixed, if for no other reason than it invites exploitation. The important issue is that they are fixed before they are exploited. On this front Apple has done a much better job than Microsoft. The proof of this should be obvious, even to someone who isn't a member of the "Apple faithful."

rjfiske
Oct 6, 2006, 06:42 PM
http://www.macuser.com/security/kieren_mccarthys_article_is_al.php

Better than I could say. :p

rjf

bousozoku
Oct 6, 2006, 06:48 PM
What’s crazy is that these exact same criticisms used to made of Microsoft, to the extent that the company’s security image has never recovered. But rather than go Microsoft’s more open and honest route, Apple has decided to go the ostrich route by relying on its own customers’ fierce loyalty to protect it.

When has Microsoft been open and honest about security problems or anything else? Apple has been incredibly secretive at times but they also fix the problem. Microsoft often patches the problem by moving it somewhere else to be discovered later.

I wonder if the AirPort security update was concerned with this problem that didn't exist or whether it's concerning something else. Their silence is suspicious.

Still, if the people involved with finding the security problem can demonstrate it live on a machine that they've never seen, I'd certainly be more willing to believe that they weren't trying to gain attention for their company's business.

Corran Horn
Oct 6, 2006, 07:17 PM
I personally would like to see a list of M$ security updates and patches compared to this list of Apple security updates and patches. Then we can talk about Apple having many issues.

He is right, Mac OS X will have problems, it's a computer program written by humans. It will have holes. But it currently requires far fewer updates than M$. If I remember correctly the security hole shown at Black Hat was a hole in the wireless card setup. But the fact is that they were using a 3rd party wireless card, not the Airport card built into the system. I belive that "vulerablity" in not Apple's fault, but rather a user who does not have the current drivers for their products.

I don't have a mac but really want one. And since I have spent my past months reading this website and several updates, and I could tell that he had done his research about these issues, but packaged them into the article to fit his view, not the facts.

I anticipate the day that I'll get my 17" MBP C2 in the mail. but until that day I'll continue to mop the drool off the floor around my current M$ computer every day.

-Corran Horn

cwt1nospam
Oct 6, 2006, 09:10 PM
Reporting on problems is ok, but guys like this aren't just reporting on problems. They're trying to make it look like the Mac's vulnerabilities are on a par with Windows vulnerabilities, and that just isn't justified by the facts.

simX
Oct 6, 2006, 09:27 PM
Wow, great article submission Slashd^H^H^H^H^H^HMacBytes!

This guy is a jackass. No, seriously, he is. It's official (http://daringfireball.net/2006/09/jackass_kieren_mccarthy). (And it's also official that he is still a jackass (http://daringfireball.net/2006/09/mccarthy_still_a_jackass).)

Please stop posting lame links. This is what editors are for. Thanks very much CmdrT... damnit, did it again!

solvs
Oct 6, 2006, 11:59 PM
It's official (http://daringfireball.net/2006/09/jackass_kieren_mccarthy). (And it's also official that he is still a jackass (http://daringfireball.net/2006/09/mccarthy_still_a_jackass).)
Gotta love John Gruber. Plus he had a great article on how you can now zoom with the mouse's scroll button now with the Control key in 10.4.8. Which I did not know. Neat. That other guy is a jackass though. Bad enough he made a bunch of stuff up. Then blamed Artie MacStrawman (http://www.crazyapplerumors.com/?p=664). Then attached Jim Darymple's name to it (he writes for MacWorld). Then complains about a bunch of mean Apple zealots emailing him hate mail. K. The fact that he was completely wrong is lost on him apparently.

I wish I could get a job as a tech writer, but I actually know stuff. :rolleyes:

nagromme
Oct 7, 2006, 12:14 AM
I agree. I'm a Mac fan till death but any one who thinks OS X is perfect and has no security issues is an idiot.
Agreed. But IS there anyone who thinks that? I've never met such a person, nor even seen so much as an anonymous forum post with that opinion :)

That mysterious race of leprechauns, who think OS X has ZERO security issues ever, may or may not exist. But the people battling the leprechauns are all over the place :D Leading some gullible PC users to think Mac users are actually that irrational. Some classic straw man action going on!

solvs
Oct 7, 2006, 12:52 AM
But IS there anyone who thinks that?
Artie MacStrawman (http://www.crazyapplerumors.com/?p=664)? ;)

bousozoku
Oct 7, 2006, 02:12 AM
Agreed. But IS there anyone who thinks that? I've never met such a person, nor even seen so much as an anonymous forum post with that opinion :)

That mysterious race of leprechauns, who think OS X has ZERO security issues ever, may or may not exist. But the people battling the leprechauns are all over the place :D Leading some gullible PC users to think Mac users are actually that irrational. Some classic straw man action going on!

Leprechauns or Lemmings?

There was something on OSNews lately and I started to read the comments and there were both sides going at it. I just went back a page and looked at other articles.

Markleshark
Oct 7, 2006, 03:17 AM
Although I'm basically a fan boy (Hey, why not) and have not had problems with my own products *touch wood* I can see why it would be annoying when you and 10 other people report a problem to Apple and they say they are 'looking into it'. I mean, remember the problems people had with the 1g Nano's and the braking screens, it took Apple agessssssss to see the problem fully and release a statement, etc, etc. A lot of us knew here, but what about Joe who goes to Comet and buys his and it breaks on him.

Oh well.

Counterfit
Oct 7, 2006, 03:34 AM
Wow, great article submission Slashd^H^H^H^H^H^HMacBytes!

This guy is a jackass. No, seriously, he is. It's official (http://daringfireball.net/2006/09/jackass_kieren_mccarthy). (And it's also official that he is still a jackass (http://daringfireball.net/2006/09/mccarthy_still_a_jackass).)

Please stop posting lame links. This is what editors are for. Thanks very much CmdrT... damnit, did it again!
I think this (http://www.macuser.com/security/kieren_mccarthys_article_is_al.php#comment-22263) describes him best.

nagromme
Oct 7, 2006, 04:40 AM
Leprechauns or Lemmings?
Well, lemmings aren't even real. The last of them was chased over a cliff by Disney cameraman Arthur McStromman. It squeaked "oh no!" and exploded on impact.

SPUY767
Oct 7, 2006, 10:00 AM
McCarthy is an alias for Thurott

Winston Smith
Oct 7, 2006, 02:50 PM
I'm a self confessed Apple fan boy and I fully accept that there will be a security exploit in the wild on OS X. I will know about it before it hurts me because I keep a close eye on sites like MR.

Apple also appears to be improving in it's response to issues such as the speed with which iTunes 7 moved to 7.1.

This guy though is a classic example of someone who earns their living through computer security issues and seeing a threat on the distant horizon to that living attempts to protect their own existence by spreading their own virus.

We need to be concerned when that article is titled "Britney Spears naked" until then I think Mac momentum is well ahead of theirs.

Blue Velvet
Oct 7, 2006, 02:55 PM
"...Leap-A will leave them shell-shocked."
— Graham Cluley, Sophos


I remain unperturbed, Mr Graham Cluless.

MBHockey
Oct 7, 2006, 02:59 PM
Daring Fireball destroys McCarthy in this point-by-point rebuttal of McCarthy's argument:

http://daringfireball.net/2006/09/mccarthy_still_a_jackass

Counterfit
Oct 7, 2006, 03:50 PM
This guy though is a classic example of someone who earns their living through computer security issues and seeing a threat on the distant horizon to that living attempts to protect their own existence by spreading their own virus.
Kind of like how some security companies (and Adobe, but that's a different issue) are suing Microsoft in Europe for them making Vista more secure (well, supposedly anyway).

winmacguy
Oct 7, 2006, 11:43 PM
Kind of like how some security companies (and Adobe, but that's a different issue) are suing Microsoft in Europe for them making Vista more secure (well, supposedly anyway).
Not quite. The other companies like Symantec have an issue with Vista's security setup locking their software out of the system rather than with Vista being "more secure". If it was just that Vista was going to be more secure it would not stop people buying and installing 3rd party security software when they upgraded to Vista.

bryanc
Oct 8, 2006, 09:30 AM
I'm one of many who sent email to McCarthy's editor, complaining about the number of factual errors and logical fallacies in the original piece.

To my surprise, he replied, but only with a link to McCarthy's rebuttal blog entry, which contains repetitions of some of the original errors (apparently McCarthy cannot distinguish between Apple patching a hole that was responsibly documented by a 3rd party security firm, and Apple having to do an internal code audit to find a hole that irresponsible hackers are implying may exist, but about which they aren't providing any data), and a bunch of new ones (i.e. the fact that Apple has been less than transparent about their security update processes proves that he's being unfairly persecuted by 'the Apple Faithful').

I'm afraid this guy is just going to be one of the many irrational Apple-haters who will be cheering the loudest when the first real exploit starts circulating in the wild. We all know that will happen eventually, but it's not a big deal for Mac users, because there will never be the level of danger Windows users face on a daily basis, because OS X is better designed, and hacking it is already demonstrably a lot harder. So, while some hacks may eventually become real security issues, there won't be armies of script kiddies turning hundreds of thousands of OS X boxes into spam-mailers, or DDOS attack farms.

Meanwhile, I expect Mr. McCarthy's editor is highly pleased with him for having created a sh*tstorm of interest in their otherwise boring site, and thereby generating a ton of advertising revenue.

Face it, McCarthy's just another troll.

Willis
Oct 8, 2006, 12:36 PM
some this article i can agree with, yes, there are a few areas been overlooked, but Apple have released patches. HOWEVER. This comment is false to some extent.

SecureWorks security researchers report a hole in MacBook that allow someone to take control of the machine. Apple refutes the hole exists: “Despite saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is.” A month later, Apple releases a patch for the hole.

Wrong. Its a fault with ALL WIRELESS ADAPTERS. And in the test they did, they even used a 3rd Party Wireless Card. It had nothing to do with the Macbook it self of the OS. It was the driver of the wireless card.

Because of this, Apple released an updated Driver for Airport..


BAH!! what a noob

70355
Oct 8, 2006, 02:19 PM
Well, I'd love to find an email address for this guy so I could offer him some more of what he'd likely find to be "abuse". In case he's reading, I'll post what my letter to him would be:



What do you think, will he read this?

What do I think? I think someone's got a LOT of time on their hands.

dejo
Oct 8, 2006, 07:49 PM
Apple also appears to be improving in it's response to issues such as the speed with which iTunes 7 moved to 7.1.
7.1? When did that show up? I think you mean 7.0.1. :D

bousozoku
Oct 8, 2006, 08:59 PM
some this article i can agree with, yes, there are a few areas been overlooked, but Apple have released patches. HOWEVER. This comment is false to some extent.

SecureWorks security researchers report a hole in MacBook that allow someone to take control of the machine. Apple refutes the hole exists: “Despite saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is.” A month later, Apple releases a patch for the hole.

Wrong. Its a fault with ALL WIRELESS ADAPTERS. And in the test they did, they even used a 3rd Party Wireless Card. It had nothing to do with the Macbook it self of the OS. It was the driver of the wireless card.

Because of this, Apple released an updated Driver for Airport..


BAH!! what a noob

You shouldn't call yourself a noob. ;)

I suppose you have insider information, having worked with both companies. Anything else is just a guess, as with the rest of us.