Because it's fun to trash OS X at every opportunity. It's all about taking Apple down for being so successful. So what else is new?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Security In Spotlight
- Thread starter MacRumors
- Start date
- Sort by reaction score
Because it's fun to trash OS X at every opportunity. It's all about taking Apple down for being so successful. So what else is new?
I've been using Mac's for 10 years, have dozens of friends who have used Mac's for just as long, and I have never encountered or know anyone who has had a virus or their machine hacked into.
My Window friends on the other hand, total opposite. Just about all of them have had major virus or malware issues. Constantly running Norton and all their anti-virus blockers and still having problems.
So yeah, Mac is still the safest way to go.
My Window friends on the other hand, total opposite. Just about all of them have had major virus or malware issues. Constantly running Norton and all their anti-virus blockers and still having problems.
So yeah, Mac is still the safest way to go.
Everyone: Read, Read, and Read....
A must read as Daniel is rather always on the mark; pulling the covers off such "events."
CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security
http://www.roughlydrafted.com/2008/...liver-attacks-on-the-reality-of-mac-security/
A must read as Daniel is rather always on the mark; pulling the covers off such "events."
CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security
http://www.roughlydrafted.com/2008/...liver-attacks-on-the-reality-of-mac-security/
I get that. I wish they had held a three day contest restricting hackers to network-only attacks and relaxed the rules this way:
Day 1) Out-of-the-box/clean install configurations.
Day 2) Open a variety of commonly used ports (FTP, SSH, etc.)
Day 3) Turn off all security software, firewalls, etc.
That would have been an interesting contest where you could draw conclusions from the outcome. But when you're allowed to direct someone sitting at the machine or to install software, I don't understand the point. All you gauging there is the hacker's familiarity with the minutiae of one particular security hole in one particular machine's configuration. And since it must be triggered by a user it's really nothing more worrisome than a Trojan horse.
The point is.... Mac software has holes that remain unfixed, or properly tested. The point is to invest more into application security and patches as Apple continues to increase its presence in the computer world.
The point is... Any security hole, regardless of preparation or skill level for the hacker to exploit, is a security hole. Period. Competitions like these, I believe, should be a turning point for Apple not just to fix this hole that was discovered, but to change how it approaches security testing and patching.
The point is... Any security hole, regardless of preparation or skill level for the hacker to exploit, is a security hole. Period. Competitions like these, I believe, should be a turning point for Apple not just to fix this hole that was discovered, but to change how it approaches security testing and patching.
Everyone is entitled to an opinion, even a misinformed and stupid one.
Actually, the Vista hacker, Mark McCauly (?), had an exploit ready too, but was stymied because he didn't anticipate the machine having SP1 installed. By the end of day two, he had found an exploit, but ran out of time to develop it.
In some part that was due to a lack of interest.
Here is a couple of questions
How many exploits security holes are found in OS X on a daily basis?
How many exploits security holes are found in windows on a daily basis?
For the fact that some security firms need to get there facts a but more right due to windows having way more unpatched holes than OS X will ever have.
I don't mind waiting a while for apple to patch things because at least most if not all the time the patch does break several other things. Not like windows they patch something and can very well breal hundreds of other things.
How many exploits security holes are found in OS X on a daily basis?
How many exploits security holes are found in windows on a daily basis?
For the fact that some security firms need to get there facts a but more right due to windows having way more unpatched holes than OS X will ever have.
I don't mind waiting a while for apple to patch things because at least most if not all the time the patch does break several other things. Not like windows they patch something and can very well breal hundreds of other things.
One thing I'll say for Apple is that this competition is not in any way an accurate method of comparing security. There are simply too many variables and not any controls. Pure an simple.
That however doesn't change or excuse the security issue. It is still a bummer. Apple needs to devote a bit more time to security of it's own apps. Especially web related apps. I know that no computer will ever be bullet proof, but they should all be shatter-resistant. I hope that Apple wakes up their iPhone day-dreams before it is too late.
Finally, I want to add that the market share argument is crap. I'm not going to waste my time on it I've read the argument too many times and seen too many intelligent rebuttals to bother with it anymore.
That however doesn't change or excuse the security issue. It is still a bummer. Apple needs to devote a bit more time to security of it's own apps. Especially web related apps. I know that no computer will ever be bullet proof, but they should all be shatter-resistant. I hope that Apple wakes up their iPhone day-dreams before it is too late.
Finally, I want to add that the market share argument is crap. I'm not going to waste my time on it I've read the argument too many times and seen too many intelligent rebuttals to bother with it anymore.
OS X may be the most insecure OS but I still think its plenty safe. Why? Because viruses and hacking is only done for generating malicious advertising revenue. Hackers cannot make money off of OS X, atleast not enough to warrant the risk. This will hit apple hard and fast at some point in the future though, once the userbase gets to a profitable number OS X is going to be a total mess and its going to take apple a really long time and a lot of new staff to figure out how to fix everything.
These kind of exploits are completely out of user control. Almost all windows viruses come from people actually installing stupid IE plugins on bad sites, that falls under user stupidity and MS stupidity for making it so annoying not to install those things. This is a totally different scenerio, all a person has to do is view the page with this code and they are infected.
It does not matter what kind of site it is, it could be some random site from google, its not the users fault for clicking that, or even worse it could be CNN.com due to cnn's webhost being hacked and a virus implanting the code on every document located on the entire server (this happens a LOT with crappy webhosts). A lot of hackers have been getting viruses implanted on web hosting servers which auto generates code on every document being hosted, they can easily infect thousands of websites and it can go unnoticed for a long time.
These kind of exploits are completely out of user control. Almost all windows viruses come from people actually installing stupid IE plugins on bad sites, that falls under user stupidity and MS stupidity for making it so annoying not to install those things. This is a totally different scenerio, all a person has to do is view the page with this code and they are infected.
It does not matter what kind of site it is, it could be some random site from google, its not the users fault for clicking that, or even worse it could be CNN.com due to cnn's webhost being hacked and a virus implanting the code on every document located on the entire server (this happens a LOT with crappy webhosts). A lot of hackers have been getting viruses implanted on web hosting servers which auto generates code on every document being hosted, they can easily infect thousands of websites and it can go unnoticed for a long time.
I work in IT at good sized university (30k students) and last year we only had 3 security incidences. One was a mac pro and one was a G5 tower. Both staff machines. (the 3rd was a dell). Considering we are a 99% dell campus it is hard for us mac guys to be taken seriously...that didn't help
BTW.. the G5 was taken over by someone remotely (outside of the country) and turned into a video server. It was only compromised for a short time but it nearly brought down the network it was spewing so much data.
LOLOL!!! Well right now I am laughing and my mind is boggled, but mostly I just feel sorry for you lol!
All this trickles down to one thing. There are some security flaws which needs to be fixed.... and this should be done asap.....
No OS will be perfect.... there will be security issues.... and there will be hackers.... and there will be patches..... thats how evolution cycle keeps rolling....
The bottomline is these security holes should be fixed asap!
No OS will be perfect.... there will be security issues.... and there will be hackers.... and there will be patches..... thats how evolution cycle keeps rolling....
The bottomline is these security holes should be fixed asap!
Okay, let's cut through the FUD:
Because the rules explicitly forbade using the an exploit twice on the same software package, even if it was on a second platform. Hacking the Mac would get more attention, whereas hacking Vista would get a yawn.
The MBA was connected to the attacker's machine via a crossover cable and the user was directed to a specific intra-net web page and to click a specific link.
While the SP1 install did cause some prepared exploits to fail, the fact that hackers were not allowed to use an exploit on two different platforms prevented the same attack against Safari on Windows or other Webkit-based browsers on Vista/Linux.
Exactly, the security hole was in a webkit javascript library, which is OS independent. The Mac was no more vulnerable than any other platform running a public-release webkit-based browser.
The Ubuntu install was not vanilla, as Open Office -- a default application, was not installed on the linux box.
- Mac OS X's security is not derived from marketshare (or lack thereof).
- The exploit utilized a hole in a javascript library utilized by webkit and is platform agnostic.
- The first day involved network-based attacks against the OS without any physical access, the Mac passed with flying colors.
- The second day, attacks were conducted via a cross-over cable, allowing the attacker to direct a user to conduct specific actions, including going to specific links on specific intranet sites.
- The Ubuntu install was not the default configuration.
Because the rules explicitly forbade using the an exploit twice on the same software package, even if it was on a second platform. Hacking the Mac would get more attention, whereas hacking Vista would get a yawn.
The MBA was connected to the attacker's machine via a crossover cable and the user was directed to a specific intra-net web page and to click a specific link.
While the SP1 install did cause some prepared exploits to fail, the fact that hackers were not allowed to use an exploit on two different platforms prevented the same attack against Safari on Windows or other Webkit-based browsers on Vista/Linux.
Exactly, the security hole was in a webkit javascript library, which is OS independent. The Mac was no more vulnerable than any other platform running a public-release webkit-based browser.
The Ubuntu install was not vanilla, as Open Office -- a default application, was not installed on the linux box.
It's important to note that he hacked Safari by taking advantage of an overflow bug in one of WebKit's JavaScript engine libraries. Since WebKit is open source, the vulnerability was logged and posted by Apple the same day it was discovered:
http://trac.webkit.org/projects/webkit/changeset/31388
This is hardly the end of the world.
Until Mac OS X becomes susceptible to in the wild malware and viruses, the "security ball" remains in Apple's court.
The bulk of Mac OS X's protection lies in the fact that in order to make changes to system files, you are required to enter your user name and password.
If you travel to questionable Web sites, click on questionable links and enter your security credentials to install questionable software — no amount of security will protect you.
Security is just as much about behavior as it is code.
As for Apple, they should respond to all discovered security vulnerabilities in a timely matter. There's no excuse for not patching a vulnerability if the information has been passed on to you.
You should also consider the source. These security firms were created to find vulnerabilities. That's where they make their money (or in this article's case — earn their public funding). They're not going to issue press releases touting a vendor's operating system's security.
http://trac.webkit.org/projects/webkit/changeset/31388
This is hardly the end of the world.
Until Mac OS X becomes susceptible to in the wild malware and viruses, the "security ball" remains in Apple's court.
The bulk of Mac OS X's protection lies in the fact that in order to make changes to system files, you are required to enter your user name and password.
If you travel to questionable Web sites, click on questionable links and enter your security credentials to install questionable software — no amount of security will protect you.
Security is just as much about behavior as it is code.
As for Apple, they should respond to all discovered security vulnerabilities in a timely matter. There's no excuse for not patching a vulnerability if the information has been passed on to you.
You should also consider the source. These security firms were created to find vulnerabilities. That's where they make their money (or in this article's case — earn their public funding). They're not going to issue press releases touting a vendor's operating system's security.
but, Firefox works well. Or we can just stay off shady sites. There are plenty of browsers out there, just use another one.
Good point, I read that item before, however each of these competitions have always included systems that been fully patched with the latest patches. I am not sure why he did not forsee this, but oh-well.
How come no one is commenting on this sentence below?
"A spot-check of security firm Secunia's statistics show that 6% of 113 bugs found in Apple's Mac OS X operating system from 2003 to 2008 remain unpatched."
They are talking about the operating system there... the family jewels!
Apparently, if these bugs are well known, they must not be exploitable or someone would have gone after them, but it does show complacency on Apple's part to spend energy making ugly docks instead of patching flaws.
It is interesting that as much as IE has traditionally been as holey as swiss cheese, it was not exploited at all, while the "new and improved" Safari was done in.
"A spot-check of security firm Secunia's statistics show that 6% of 113 bugs found in Apple's Mac OS X operating system from 2003 to 2008 remain unpatched."
They are talking about the operating system there... the family jewels!
Apparently, if these bugs are well known, they must not be exploitable or someone would have gone after them, but it does show complacency on Apple's part to spend energy making ugly docks instead of patching flaws.
It is interesting that as much as IE has traditionally been as holey as swiss cheese, it was not exploited at all, while the "new and improved" Safari was done in.
Forgive me if this was mentioned before but...
I think that adding in the laptop as a prize makes the time-order that the systems were cracked a little less telling about which OS is more insecure. If I were at there, I would definitely be more attracted to the Macbook Air and would have spent my time trying to exploit it first.
I think that adding in the laptop as a prize makes the time-order that the systems were cracked a little less telling about which OS is more insecure. If I were at there, I would definitely be more attracted to the Macbook Air and would have spent my time trying to exploit it first.
ditto. I invite the guy to hack my Mac. Of course, if he can find me, convince me to click his link and sit by while my computer does some funny business and do it all before a patch. I'll even let him read my emails if he doesn't mind sorting through the 3k spam mails. Mac OS X isn't bulletproof. If the NSA wants in your Mac, they'll get in. Be afraid. Be very afraid.
Safari is built on webkit which is open source. This hacker had access to all of the source code before going to the competition and had the hack ready. He was counting on the competition to go to day two which is when they allowed the web browser to be used.
That said, I know linux is also open source, but linux doesn't just have a lot of people looking at it, it has a lot of people fixing it too. Safari fixes have to go through apple.
That said, I know linux is also open source, but linux doesn't just have a lot of people looking at it, it has a lot of people fixing it too. Safari fixes have to go through apple.