PDA

View Full Version : Security experts sanguine on Mac hack


MacBytes
Apr 27, 2007, 12:00 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Security experts sanguine on Mac hack (http://www.macbytes.com/link.php?sid=20070427130004)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

ctango
Apr 27, 2007, 01:20 PM
I find it most interesting that nobody has mentioned the contest was altered on the last day because nobody could break the Mac for the first two days. Apparently they dropped the security level on the third day and opened up the ability to run a command from the web browser on the third day.

Why isn't anyone mentioning the changing of the rules for the third day? Not good journalism in my opinion.

nagromme
Apr 27, 2007, 01:27 PM
"Mac systems are as vulnerable as most other operating systems, so anyone with reasonable skills should be able to compromise them,” ...

“If a hacker turned their attention to the Mac, it would suffer just as much as Windows,” Wagner said. “Attacking the 95 per cent of the market gets them more attention.”

Really? ALL operating systems have exactly equal security, and one design is exactly as secure as another? Windows and Mac both have exactly equal numbers of flaws, and these flaws are exactly as easy to exploit, and once exploited, they have exactly the same potential to do harm? All OS's have exactly the same number of lines of code to debug, and contain exactly the same software components? Wow! That's some truly bad logic :) Funny, I thought one OS would be DIFFERENT from another in terms of security, and that UNIX/Linux/OS X have had a long history of superior security design compared to Windows. I thought that Vista had its first malware while its installed base was smaller than Macs--while Macs still have none even after this contest.

What kind of "security professional" truly believes that marketshare/attention is the ONLY factor in an OS's security?

This seems suspiciously close to the logic of anonymous Windows zealots in forums:

1. No OS has perfect security design.

2. Therefore OS X does not have perfect security design.

3. Therefore OS X is exactly as poorly designed as Windows.

4. Therefore Macs are only safer because there are fewer of them (which will be true for many years).

5. Macs will be fewer for many, many years, but maybe someday there will be more Macs than Windows.

6. Therefore the fact that Macs are so much safer TODAY (and for the foreseeable future) doesn't matter.

7. Therefore it makes just as much sense to buy a virus-ridden PC as a virus-free Mac.

8. Therefore it makes MORE sense to buy a PC than a Mac.

(As for the Mac community being "stunned" by this exploit... hardly. It's not even close to the first or the last such exploit for Macs--merely the best paying :) Yet these exploits have never allowed successful real-world malware. No change on that front yet, after 6 years of OS X. And when there IS malware, it will be a drop in the bucket compare to Windows.)

Obscurity helps. Good design helps. Both are advantages we will keep for many years.

I find it most interesting that nobody has mentioned the contest was altered on the last day because nobody could break the Mac for the first two days. Apparently they dropped the security level on the third day and opened up the ability to run a command from the web browser on the third day.

Why isn't anyone mentioning the changing of the rules for the third day? Not good journalism in my opinion.

There was no change of rules. Different avenues of attack were ALWAYS planned for each day of the contest. The nitty gritty details of each day are not relevant to topics discussed in the article.

FatherTime
Apr 27, 2007, 02:08 PM
I find it most interesting that nobody has mentioned the contest was altered on the last day because nobody could break the Mac for the first two days. Apparently they dropped the security level on the third day and opened up the ability to run a command from the web browser on the third day.

Why isn't anyone mentioning the changing of the rules for the third day? Not good journalism in my opinion.

I would have to agree with you 100%. It was not clearly stated that absolutely "NO ONE" was able to comprimise a Mac sitting on the network with no protection ... they all failed.

So the rules were changed and they had a "person" manually go to a specified link to execute an action. That is lowering the bar quite a bit.

Note that WindowsXP has been destroyed with the first set of rules - just placing it on the network and let them attack it.

Nothing but marketing attempting to try and scare Mac users into buying products and services they do not need.

:)

ctango
Apr 27, 2007, 02:21 PM
From ComputerWorld.com

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

The wording in the articles I read initially all make it sound like the organizers changed the rules on ONLY the third day. I wasn't there so I can't confirm this. Was there anybody there or any second hand info that could clear this up. Was the security slack planned before the event or a result of not having anyone able to break the Mac?

chris

nagromme
Apr 27, 2007, 02:47 PM
Again, the rules were NOT changed. They opened the systems to more and more types of attack, as planned in advance.

And those additional types of attack are REAL ones, not artificial: visiting a malicious Web page--which could include any Web site you visit regularly, if someone hacked into it.

Would you rather not know about this flaw in QuickTime? I'm glad to know, so it can be fixed.

The flaw is real, and COULD be used in a real-world scenario. To say the contest isn't fair because it allowed browser exploits is ridiculous: people DO use browsers in real life :)

Articles that deceptively or ignorantly paint the Mac as being as insecure as Windows DO unfairly harm the Mac's reputation. But so do Mac users who see a REAL flaw being fixed (which is NOT a rare or terrible event) and deny it irrationally.

cwt1nospam
Apr 28, 2007, 11:01 AM
My only problem with this article is that it promotes the long disproven security by obscurity myth. Let's do it again:

Of 100,000,000 iPods sold, perhaps 1,000 have had Linux installed on them. So is there malware for the standard iPod OS? No. For Linux on iPod? Yes. So much for security through obscurity.

BilltheCat
Apr 28, 2007, 11:17 PM
what I read was that the flaw was common to all os's that use Java and QT. Even linux with java and QT was vulnerable. That sounds like a problem with QT or Java (Sun) not Apple!

funkychunkz
Apr 29, 2007, 01:37 PM
what I read was that the flaw was common to all os's that use Java and QT. Even linux with java and QT was vulnerable. That sounds like a problem with QT or Java (Sun) not Apple!

But Apple did write the code for QT, and so some of their code is susceptible to manipulation and thus all Apple software cannot be reasonned to be flawless. It doesn't mean that there were any more security flaws than most software, but it is popular software which would have been examined as carefully as other components of a software system. Even the fact that QT was published by Apple may, knowing it's appearant flaws, puncture a hole in some Apple users' naivety. That isn't to say that we all think like that, or feel the need to defend the reputation of the systems we use. Something tells me that's counterproductive.

BilltheCat
Apr 29, 2007, 08:38 PM
again my understanding was that it wasnt QT per se but the Java underneath it that was the weak spot. QT just became the entry point due to it's relationship with Java. So since QT relies on java then I guess it is a weak point for attack.

So who is responsible for a fix? Apple or Sun? or both?