Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Security In Spotlight
- Thread starter MacRumors
- Start date
- Sort by reaction score
Quite true. I've ALWAYS bought and used Macs as my personal computer and NEVER had a hack attack or virus.
Yes, I've had a few Windows viruses infect my machine, but Norton destroyed those and they never affected my Mac.
Still, it's a bit disconcerting to hear someone claim that Macs are the easiest to hack - true or not.
I will continue to use Macs into the forseeable future. I just love Macintosh and Apple culture.
Leopard takes second these days
On another note, Leopard is trash. Total trash. Great potential, aesthetically pleasing, much faster.. however, its not ready for production. I'm not even going to tell you about Leopard Server.. reminds me of NT4.0.. bad, really bad..
Funny though, although I do run leopard.. I find myself leaving it in the background using VMWare Fusion to run FreeBSD (which osx is based on) more often than not.
shame on you and your greed Steve.
On another note, Leopard is trash. Total trash. Great potential, aesthetically pleasing, much faster.. however, its not ready for production. I'm not even going to tell you about Leopard Server.. reminds me of NT4.0.. bad, really bad..
Funny though, although I do run leopard.. I find myself leaving it in the background using VMWare Fusion to run FreeBSD (which osx is based on) more often than not.
shame on you and your greed Steve.
Hate to say it, but, doing your homework ahead of time is certainly fair game. Safari, being built on webkit, is essentially open source. I'm sure other hackers tried to find vulnerabilities in the same way and just couldn't come up with anything.
To not do the research is just lazy.
agreed. Press Headline:[sarcasm]"Hacking Competition Proves OS X is More Secure than Windows Vista". I've certainly not heard this ever before, I better read into this[/sarcasm]
Same goes for Windows...I've been running Windows Vista for 2 years, (I was a beta tester), and for all of Apple's criticisms of Windows (particularly Vista), if you have half a brain, you don't even need to use an anti-virus.
disheartening
I think this is pretty disheartening to the loyal Mac users. Fell first? Before vista and linux? I can handle Linux...but not the vista defeat. At least they'll learn from this so they can kick butt next time.
I think this is pretty disheartening to the loyal Mac users. Fell first? Before vista and linux? I can handle Linux...but not the vista defeat. At least they'll learn from this so they can kick butt next time.
I'm saying that if you have half a brain, which a majority of people in this world do not, you don't need an anti virus. I personally don't see the point of paying for a program that hogs resources just to protect me from my own stupid mistakes; I would rather just not make them in the first place.
I won't say the the Mac OS is any more or any less secure than Windows. I honestly believe they are on equal footing, and if Mac gets more of the market share, we will see more Mac viruses and exploits. You can cite study after study, but anyone studying anything can sway the results to prove whatever point they want.
I think that ED's issue is with the headline, which implies that Mac OS X was so amazingly insecure that someone just shot in the breeze and 2 minutes later, he had hacked the Mac, compared to the Windows Box, which took so much more time to hack, because Vista is more secure. That's ED's issue, and it's mine too. I don't know what to say about the contest, but the journalism is absolute crap.
That's like saying someone ran a marathon in a split second because that's how long it took to cross the finish line. This CanSecWest thing proves absolutely not even close to one thing about the comparative security of OSes.
It does demonstrate that OS X is vulnerable to social engineering vulnerabilities, like every OS. Not surprising...
Steve, i'm mad at you
i'm 200% a fanboy, but when apple's wrong, they're wrong. I dont know what to say... but nothing i would say would defend apple. And thats a first.
i'm 200% a fanboy, but when apple's wrong, they're wrong. I dont know what to say... but nothing i would say would defend apple. And thats a first.
Language is, and always has been, a fluid thing. It needs to be. Think of all the terms computers and the Internet have produced, all of them created because there were no existing terms that properly identified them. Do you ever use terms like "phish", "emoticon", "website", "Google" (as a verb), "mouse", "spam", "download", "menu" or "hack?" Does that make you an utter moron for using those terms that either didn't exist a 20+ years ago or had vastly different meanings back then?
"Pwn" has a specific meaning not fully covered by any existing term. It will most likely end up a part of the language, even if it's relegated to nonstandard status.
Same experience. Except for just one incident a few years ago...
I was browsing some news website, when I noticed unusual continuous network traffic on the network-switch. Very strange since I was only reading pages and not downloading anything. So I closed the browser; network activity didn't stop, even though there was no other application or network-sharing active. Rebooted the Mac; traffic finally stopped. Started browsing the web again, and got on the same news site... and there it was again! That was weird... since I just clicked on a page with only text and some graphics (no video or animations). So I tried different web browsers like the IE for Mac and Camino. All of them triggered the same strange network traffic, as soon as it got on the news site. Then I looked into the Activity Monitor of OS-X, but saw nothing out of the ordinary. Fortunately I have a router that does a good job in logging network-traffic. Its log showed that there was a connection made to.... the nasty guys of value*click.com! It turned out that some weird script on the website was trying to make a connection with value*click. I don't know if the script did work on Mac, but it always left an open TCP session on which Value*click was eagerly trying to send/receive something. So I immediately blocked that IP range at the front-door (router); effectively removing some adds from my screen as a pleasant side-effect.
Now guess what news site I was browsing when this happened? You're looking at it right now! No kidding.
Anyway... I'm not that worried about OS-X. Criminals just need to take control over some DNS or WAN-router, and anyone browsing with any kind of computer or OS connected to that, is at risk. Also known as "phishing" or "man-in-the-middle-attacks". That is something I'm much more worried about.
The hacker didn't have physical access to the computer. The user did, but the user was not the hacker. And fact remains that OS X was the only OS to fall to that type of attack. Vista or Linux did not fall.
Not only Linux, but Vista survived it as well.
They weren't given access to the machine... And still, fact remains that OS X failed this test, when the other OS'es did not. We CAN draw conclusions from this test. And no, saying something like "Well, it's unreasonable to expect the OS to be secure in these circumstances...." is just 100% wrong. It's NOT unreasonable. After all, Vista and Linux WERE secure in those circumstances, why should we expect less from OS X?
That was your explanation as to why the Linux-box was never hacked. On what are you basing that assumption on? Why couldn't it simply be that it's just more secure than Vista or OS X is?
Why does it seem to me that whenever we get piece of news about Mac getting hacked, we get all kinds of excuses and explanations? "The guys hacking the Mac were brighter and better than the guys hacking Linux and Vista! Vista had SP1 installed, it was not fair! No-one cares about hacking Linux! It doesn't matter since the hack required user-interaction! The managed the exploit the Mac because the planets were aligned just right!".
a bit of clarification...
the "hackers" could only use unknown exploits.
microsoft sponsors the event in part
the "hackers" would get the machine they hacked, so is it any wonder that the guy went after the macbook air??
yes the guy had been working on the exploit for maybe months on end(not trying to excuse the hole here) but the 2 minutes thing is being blown out of proportion.he was aware of exactly what he wanted to do. so he waited for the second day.
MR is way late in submitting this rumor. this is already stale news.
http://www.roughlydrafted.com/2008/...asons-why-cansecwest-targets-apple/#more-1675
http://www.roughlydrafted.com/2008/...liver-attacks-on-the-reality-of-mac-security/
the "hackers" could only use unknown exploits.
microsoft sponsors the event in part
the "hackers" would get the machine they hacked, so is it any wonder that the guy went after the macbook air??
yes the guy had been working on the exploit for maybe months on end(not trying to excuse the hole here) but the 2 minutes thing is being blown out of proportion.he was aware of exactly what he wanted to do. so he waited for the second day.
MR is way late in submitting this rumor. this is already stale news.
http://www.roughlydrafted.com/2008/...asons-why-cansecwest-targets-apple/#more-1675
http://www.roughlydrafted.com/2008/...liver-attacks-on-the-reality-of-mac-security/
I think it's amusing how many arguments and assumptions are being made before the full facts come out.
What do we know:
1) There was a competition performed where hackers had to hack either a Mac, a Windows machine or an Ubuntu box.
2) None of the computers went down in the first day; the rules had to be relaxed before any of them moved.
3) All of the computers were completely pawned by the end of the competition.
4) The Mac was hacked first.
What we don't know:
1) How any of the computers were hacked.
2) In what way the rules were relaxed before the Mac was hacked.
3) Whether the Mac is vulnerable to the security issues that took down the Vista machine and the Ubuntu machine.
4) Overall which computer is the least secure over a battery of tests.
This doesn't show that the Mac was the weakest link. As one contributor said everything was prepared and I'm sure the guys were pro's who came in with security attacks.
Yes it does show that the Mac has a security flaw that Vista and Ubuntu apparently don't have. I think it's most likely a Webkit flaw and is likely related to the new features that Apple recently added (which if you remember, also made Safari by far the fastest browser out there).
Lets see when the facts come out Macs are always hacked in these competitions, and it always causes a stir. I'm yet to see a Mac hacked without the rules of the competition being relaxed.
People will always use the market share argument, but nobody will be able to prove it until Apple has 99.99% of the market out there. The fact is there are many millions of Mac users out there 4% 7-8% I'm seeing now actually means a loooot of users. I don't know figures but hundreds of millions? at least 50% of the remaining > 90% of computer users are Mac haters I would guess. Funny none of the Mac-hating UNIX, Linux or Windows-using hackers have put a mainstream hack/virus for MacOS X into the market.
Also, how can we prove that Apple's slow to respond to exposed vulnerabilities? Seems like they've had less than 12 hours to fix this one, and we'll probably see a patch within the next week, although it's probably not even a serious concern. My guess is it requires very specific circumstances that Apple's engineers haven't even thought of.
hypothetical but is it a real concern if my computer can be hacked IF I run some malicious code and enter my root password (assuming the root user is enabled), while some dodgy looking guy with a hacking program on his UNIX box has his machine plugged into mine using a USB cable, an ethernet cable and a firewire cable. I'll then give him 2 days to keep doing his work, and perform weird things on my computer when he tells me to do them (including installing weird .kext's and other 3rd party software that I would usually never delve with).
If that leads to my computer being hacked, then does Apple really need to fix the "bug"?
Where there's a will there's a way. There will never be a computer that can't be hacked, and as software improves in terms of speed and functionality, we're only going to see more ways of hacking computers. get used to it
What do we know:
1) There was a competition performed where hackers had to hack either a Mac, a Windows machine or an Ubuntu box.
2) None of the computers went down in the first day; the rules had to be relaxed before any of them moved.
3) All of the computers were completely pawned by the end of the competition.
4) The Mac was hacked first.
What we don't know:
1) How any of the computers were hacked.
2) In what way the rules were relaxed before the Mac was hacked.
3) Whether the Mac is vulnerable to the security issues that took down the Vista machine and the Ubuntu machine.
4) Overall which computer is the least secure over a battery of tests.
This doesn't show that the Mac was the weakest link. As one contributor said everything was prepared and I'm sure the guys were pro's who came in with security attacks.
Yes it does show that the Mac has a security flaw that Vista and Ubuntu apparently don't have. I think it's most likely a Webkit flaw and is likely related to the new features that Apple recently added (which if you remember, also made Safari by far the fastest browser out there).
Lets see when the facts come out Macs are always hacked in these competitions, and it always causes a stir. I'm yet to see a Mac hacked without the rules of the competition being relaxed.
People will always use the market share argument, but nobody will be able to prove it until Apple has 99.99% of the market out there. The fact is there are many millions of Mac users out there 4% 7-8% I'm seeing now actually means a loooot of users. I don't know figures but hundreds of millions? at least 50% of the remaining > 90% of computer users are Mac haters I would guess. Funny none of the Mac-hating UNIX, Linux or Windows-using hackers have put a mainstream hack/virus for MacOS X into the market.
Also, how can we prove that Apple's slow to respond to exposed vulnerabilities? Seems like they've had less than 12 hours to fix this one, and we'll probably see a patch within the next week, although it's probably not even a serious concern. My guess is it requires very specific circumstances that Apple's engineers haven't even thought of.
hypothetical but is it a real concern if my computer can be hacked IF I run some malicious code and enter my root password (assuming the root user is enabled), while some dodgy looking guy with a hacking program on his UNIX box has his machine plugged into mine using a USB cable, an ethernet cable and a firewire cable. I'll then give him 2 days to keep doing his work, and perform weird things on my computer when he tells me to do them (including installing weird .kext's and other 3rd party software that I would usually never delve with).
If that leads to my computer being hacked, then does Apple really need to fix the "bug"?
Where there's a will there's a way. There will never be a computer that can't be hacked, and as software improves in terms of speed and functionality, we're only going to see more ways of hacking computers. get used to it
It just makes you go hhhhhhhhhhhhhhhhhmmmmm!
In yesterdays news---
http://www.cbc.ca/health/story/2008/03/31/phac-virus.html
543 Windows computers compromised.
$1.5 Million to clean up.
Protected by one of these so called Expert Security Company.
Windows definitely WON this competition.
Now where's that similar Mac story????????
oh yeah, yawn---All of Millers work got him only 1 computer and $10,000 when he could have been richer by $1.5 million if he had figured out that Windows Fix...
In yesterdays news---
http://www.cbc.ca/health/story/2008/03/31/phac-virus.html
543 Windows computers compromised.
$1.5 Million to clean up.
Protected by one of these so called Expert Security Company.
Windows definitely WON this competition.
Now where's that similar Mac story????????
oh yeah, yawn---All of Millers work got him only 1 computer and $10,000 when he could have been richer by $1.5 million if he had figured out that Windows Fix...
As most other users have already said, this is ridiculous (for Apple). Any fanboy still drinking the Apple kool-aid at this point needs to have his head checked. I still love OS X, and am eagerly awaiting 10.5.3.
Hopefully a new Safari version will be released soon as well? I've been reading the nightlies are much better than 3.1.
Hopefully a new Safari version will be released soon as well? I've been reading the nightlies are much better than 3.1.
For those who just gobble down all the doom-talk
http://www.roughlydrafted.com/2008/...asons-why-cansecwest-targets-apple/#more-1675
http://www.roughlydrafted.com/2008/...t-misinformation-and-slander-oops/#more-1677
http://www.roughlydrafted.com/2008/...asons-why-cansecwest-targets-apple/#more-1675
http://www.roughlydrafted.com/2008/...t-misinformation-and-slander-oops/#more-1677
According to MacWorld, ONLY the Macs were attacked first. Only after the Mac was exploited did anyone attack the PCs. Apparently, no one wanted the PC or Linux prizes?
Anyway, that fact alone makes the "Mac Hacked First" headline completely phony.
The correct title should be "Hackers Love to Win Macs First over PCs!"
Anyway, that fact alone makes the "Mac Hacked First" headline completely phony.
The correct title should be "Hackers Love to Win Macs First over PCs!"
You're playing with semantics. When I say the hackers were given access, I mean they were allowed to direct user activity going on for the given machine. There's an old rule about computer security which states that as soon as someone has access to the machine, nothing is secure anymore. When the contest allowed the contestants to direct specific actions on the machine, that was giving them access, regardless of whether it was their fingers doing it.
And once you can control what's happening on the machine, you're open to all kinds of crazy stuff. It basically becomes a Trojan horse at that point, getting the user to launch something or click something that carries a payload. Any platform is vulnerable to that. I just don't get the point.
This post highlights my feelings about Apple for the past 12 months. They don't give a crap about MAC users anymore, it's all iPhone this and iPhone that. I guess ditching loyal customers is a great strategy for a few extra short-term bucks is a great plan...
IF the machines roughly worth the same amount of money, then it does not matter one bit.
IIRC, the Linux-machine was not exploited.
We have the rough idea, but not the details.
Um, yes we do.
Like I said, Ubuntu-machine was still standing at the end of the competition.
Yes, the attacks on the OS X-machine were prepared. But so were the attacks on Vista and Linux.
And so are the black-hat hackers.
It seems that they also made Safari the fastest browser to be 0wned.... I would rather have a slightly slower but secure browser, as opposed to speed-demon that is unsecure.
So?
The piece of news about Apple being slow at fixing holes was not directly related to this hacking-competition.
Strawman-argument. In this case, all it took for the Mac to be exploited, was for the user to visit a website.
No I'm not. Physical access means that the hacker has.... physical access to the machine. That is, he can plug devices in to it, he can reach the power-button etc. etc. THAT is "physical access". Simply creating a website that will "0wn" the computer is NOT the same as "physical access". And that's what happened here.
And that's how many real-life exploits take place. You get an email from your friend that says "check this cool video!", you click on the link.... and your machine gets exploited.
I'm well aware of that rule. And that rule is about the hacker standing right next to the computer! It's about hackers who can pull the powercord or plug in extra devices to the machine. And none of that applies here.
How exactly could you stop a denial of service-attack if the hacker is standing next to the machine with a sledgehammer? You don't.
What they were allowed to do was to send mail to the machine and ask the user to go to some website, that's all. That does NOT equal "physical access" no matter how much you try to spin it.
Their control was limited to sending email and asking the user to go to a website, that's all.
But that's not what happened here. The hacker created a malicious website and asked the user to visit it. When he did, his machine was exploited. he did NOT launch some strange installation-packages or something. He launched Safari and visited a website.
That's ********. ALL machine were attacked right from the start. I think you are confused by this part of the article:
That simply means that only the Mac was exploited by thursday, while Vista and Ubuntu were still unexploited.
EDIT: it should also be noted that OS X was first to be hacked in last years contest as well.
Just because some OS is "UNIX" does not mean that it's bulletproof. And not all UNIXes are just as secure. It's widely accepted that OpenBSD is the most secure OS out there (excluding some really niche OSes), with maybe Solaris being second.
It's dumb in the extreme to think that "This is UNIX, therefore it has excellent security". Being (or not being) UNIX says very little about the security of the OS.