Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Security In Spotlight
- Thread starter MacRumors
- Start date
- Sort by reaction score
the past is the past market share its market share
my thoughts on the subject are as follows as Mac continues to increase its market share it needs to respond quicker to security vulnerabilities. In the past a slower response to vulnerabilities was tolerable but as vulnerabilities are exploited due to Mac's market base expanding their response time to such vulnerabilities needs to increase.
So hopefully whatever their past response time was it is a thing of the past because we can be sure hackers will exploit whatever they can in the future. Knowing that there is a larger Mac base to exploit from.
Charles Bittner
Askacapper.com
my thoughts on the subject are as follows as Mac continues to increase its market share it needs to respond quicker to security vulnerabilities. In the past a slower response to vulnerabilities was tolerable but as vulnerabilities are exploited due to Mac's market base expanding their response time to such vulnerabilities needs to increase.
So hopefully whatever their past response time was it is a thing of the past because we can be sure hackers will exploit whatever they can in the future. Knowing that there is a larger Mac base to exploit from.
Charles Bittner
Askacapper.com
While this contains other more speculative type information, it also contains very important and overlooked information about the hack.
http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10- reasons-why-cansecwest-targets-apple/
And yes, the hacker had the software prepared way in advance. The 2 minutes was how long it took him to tell the judge to click the link in the email in Safari. One thing this conference showed is that all 3 OSes have massively improved their core security. Now on to their default and 3rd party apps...
http://www.roughlydrafted.com/2008/03/29/mac-shot-first-10- reasons-why-cansecwest-targets-apple/
And yes, the hacker had the software prepared way in advance. The 2 minutes was how long it took him to tell the judge to click the link in the email in Safari. One thing this conference showed is that all 3 OSes have massively improved their core security. Now on to their default and 3rd party apps...
There are TWO key points to this story that often get missed...
#1... THEY RELAXED THE RULES MEANING STILL NO EASY MAC HACKING!
#2... EVERYONE WENT AFTER THE MAC FIRST, NO ONE ATTEMPTED THE PCs!
WHY IS THIS IMPORTANT?
Because it means technically, by any description by a person with a sound mind, the Mac was NOT the FIRST to be hacked since none of the other computers were under attack at the same time and there are still no reported viruses or other hacks in the wild against Macs that I've read of.
DUH!
Once again, CANSECWEST is a joke in search of a Mac punchline.
#1... THEY RELAXED THE RULES MEANING STILL NO EASY MAC HACKING!
#2... EVERYONE WENT AFTER THE MAC FIRST, NO ONE ATTEMPTED THE PCs!
WHY IS THIS IMPORTANT?
Because it means technically, by any description by a person with a sound mind, the Mac was NOT the FIRST to be hacked since none of the other computers were under attack at the same time and there are still no reported viruses or other hacks in the wild against Macs that I've read of.
DUH!
Once again, CANSECWEST is a joke in search of a Mac punchline.
The bug was in the PCRE library that webkit's JavaScript engine uses.
The fixed code:
http://trac.webkit.org/projects/webkit/changeset/31388
The fixed code:
http://trac.webkit.org/projects/webkit/changeset/31388
As an apple fanboy, the point we all should note is Apple's inability to correct the loophole that's been persisting for significant time.
I still have no doubt that for an average person, Mac OS has the best security/user friendness ratio. But I have to wonder what Apple's doing recently for their 'macs'.
I still have no doubt that for an average person, Mac OS has the best security/user friendness ratio. But I have to wonder what Apple's doing recently for their 'macs'.
That doesn't work very well, for two reasons. One is that users are going to make errors no matter what, and some applications are going to be poorly written (like, in this case, Safari). A well-designed OS should be able to keep applications from accessing things they don't need to, so that they can't do damage other than to themselves. The second is that a user doesn't need to go to a seedy website to get a bad link -- legitimate sites get hacked all the time. Of course people aren't going to download or open things that they don't trust, but the problem is when the things that they do trust turn out to be malware, either because something legitimate has been replaced, or because the user has been tricked into thinking that a site is legitimate when it isn't.
I'm not taking this as flame bait, and I don't want to sound facetious, but I'm curious. Why are you still here?
I live on Earth, where are you from? The exploit took two weeks, read the entire story.
I agree!!
I always thought it a mistake to so brazenly taunt 'hackers' the way Apple has (and does). Similar tactics have proven less than effective.
Bad form, no matter how you slice it.
Hopefully, Apple can address this issue sooner than later.
100% correct on your statments. However the assumption by non-informed people and by IT management that OSX and Safari are less secured than the others is the issue at hand. The time used means nothing if you had your hack all ready.
Yes others could have done the same, but they did not, and that makes Apple looks bad which is not fair as Apple had nothing to do with the pre-preparations.
So..... this hacker guy, who probably knew what the hell he was doing from years of experience, managed to hack a Mac in a competition to hack an OS to win hella G's. Holy crap I'm scared for my safety.
Overreaction much, yes?
Overreaction much, yes?
Yes, as of yet each hack against OSX in this and other competition required user interaction. It was not until they released the rules that they got something on OSX.
Except that Vista and Ubuntu were not hacked at all with default applications installed, even though people were trying all day after the Mac was hacked. The Vista laptop wasn't hacked until the third day (when they installed third party apps), and the Ubuntu laptop was never hacked.
And it's pretty trivial to get people to click on a random link. Either hack a legitimate site and replace a link on it with the link to the exploit code, or just post a link somewhere saying "free porn here".
He could just as easily have used the hack in the wild. He just chose to save it for a time when it would get him $10k and a free laptop. All that says is that the people hacking Macs are smarter than the ones hacking PCs, which does not make me feel particularly more secure.
Great question. Because I still love the Mac community, especially Macrumors and I am still fascinated by Apple products/rumors.
Believe me I hate Microsoft more than anyone, but I just see a different light these days.
If Apple's OS X is so secure, why are these hackers saying that it's the easiest OS to hack?
Because they get more publicity attacking Apple than any other platform. If they said Windows is the easiest to hack everybody would respond with a big yawn. If they said Linux was the easiest the response would be so-what. But when they say OS X is the easiest it gets spread all over the web in spades. You have to remember that guys like this have incredible egos. They don't work for any major OS company writing secure code. They think something like that is beneath them. Instead they attack the work of someone else trying to break it. And when they do manage to break something they pound their chests and shout "Look at ME!" Breaking Apple's work generates publicity and massages their massive egos.
So we don't really know which is easiest to break. We just know that these egomaniacs claim that OS X is.
I think most people realize that a security hole is a security hole, and that it needs to be fixed, but most people are saying that the fact that the hacking of OSX only took 2 minutes doesn't accurately display OSX's security abilities because if he hadn't planned the attack, it would have taken much longer to break into the OS.
You are not taking into consideration that the person going against the safari and against what ever browser on the linux system where not the same person and also may not have been as prepared.
Getting a MacBook Air is a lot better incentive at making preparations than getting a Linux system that you can buy for next to nothing anywhere.
The key boils down to preparation and the level of the hacker. Not all hackers are created equal or have the same preparation.
The "relaxation" of the rules was just to the point that you could try to exploit any pre-installed apps that come with OSX, such as Safari or iChat. Not too much of a relaxation of you ask me. If it had taken to the 3rd day when they went to 3rd party apps, we'd be in a different ballgame.
As for "no one going after the PCs". Don't know where you are getting this. However, even if this was true, they had the entire rest of the day to take down the other two laptops, since the Mac was taken out in 2 minutes (the guy had obviously prepped, but that's okay... people had probably prepped for attacking Vista as well).
Plus, it was hacked on the 2nd day of the contest. Why don't people bother to RTFA.
LOL, good points.
I just take objection to the publicity of taking only in two minutes to hack a Mac. The 2 minutes is what it took him to do what he had pre-prepared. That is the only thing I take exception with, the fact that preparations are not the same and the quality ofthe hacker is not the same.
These competitions proof nothing, unfortunatly others do not understand that and it may affect their decision to allow Macs at work with misinformation like this.