Mac Security In Spotlight

[Evangelion]

Take a chill pill Evangelion.

I'm sorry, but being quiet and polite wouldn't go far when trying to refute arguments that are pure BS.

As I have continuously said, we have no idea what the reported hack did, or how to reproduce it step by step.

And that means that it didn't exist? What we DO know that it's a hole in OS X, and the OS did not have to be modified in any way to take advantage of that hole.

You keep claiming that we know everything about it, and that it was directly a bug in Webkit. May I ask then… why wasn't it hacked on the first day?

*sigh*.... On the first day the hackers were supposed to compromise the machine by working on it from the network. That is, the machine sits on the desk while connected to the network, and the hacker remotely takes the machine over. None of the three machines fell for that. On the second day they allowed interaction with the user of the machine. That is, that the user does something that enabled the machine to be compromised. In the case of the Air, the "something" was visiting a website that contained malicious code.

On the third day the rules were further relaxed, by allowing the hackers to use third-party apps that do not ship with the system.

Your attack on my knowledge is ludicrous as you are continuously jumping to conclusions about something I, and others, are repeatedly claiming needs further examination.

I'm "attacking your knowledge" because you are obviously lacking crucial information regarding this competition. You had no idea what kind of computers the different OS'es were running on (hell, you claimed that Linux ran on tower-PC!), you had no idea how the machines were compromised (you claimed that they had total access to the machines and that they installed kernel-extensions), you had no idea how the rules were relaxed as time went on etc. etc.

Nobody knows what the exploit is or how they did it step by step.

What we do know is that the hole exists in every single 10.5.2-installation out there. No, we don't know how the hack was crafted, since that's classified information. But we do know that it exists and that it requires no modifications to the host-system.

Stop claiming you do, you don't. All we know is that is was made possible after the rules were relaxed on the second day. The system was changed to be more vulnerable, and before this change it was invincible.

And your point is what?

As it was reportedly a Webkit bug, I wouldn't be surprised if the Ubuntu machine also had the bug, seeing as Webkit and Konqueror are pretty well the same thing.

Ubuntu does not use WebKit. None of the Linux-distros do. Some of the use KHTML, but KHTML is not the same as WebKit.

We'll know if this is true when the technical details come out (just incase you were ready to jump to another conclusion)

What we know right now is that the hole exists in OS X, but not in Ubuntu, since Ubuntu does not use WebKit.

I've checked the machines. The MacBook Air was the most expensive.

But the fact remains that if he wanted the maximum amount of goodies, he should have targetted the easiest target, since the person demonstring a succesfull hack not only get to keep the target-machine, but he also gets 10.000 bucks (unless he manages the hack sooner, then he wins even more money). The second hack only get the target-laptop and 5.000 bucks. Surely if Vista is the easier target, he should have targetted the Vista-machine, since that would have had the greates odds of winning cool 10.000 bucks? That money buys you several MBA's. And the earlier they manage to hack a system, the more money they win. So if Vista is the easiest target, why didn't they target it, since then they could have won even more cash?

You could not have sold one of the other ones on the 2nd hand market and bought the MacBook air. It was definitely the crown jewel… sorry, but that's all the competition shows. People wanted to win a MacBook Air.

Are you saying that they couldn't buy a MBA with the 10.000 bucks the winner of the contest wins?

PS - Your deconstruction's of my comments are flattering I'm glad you took the time.

And the sad thing is that even though I spent quite a bit of time shooting down your ludicrous claims, you learned nothing...

 

[i.maverick]

One day, not two. In the first day, none of the OS'es were compromised. In the second day, the rules were relaxed, and OS X was immediately compromised, while the others were not.



What grabbed the headlines is the fact that OS X fell, while Vista and Linux did not. Yes, Vista was compromised later, but only after the rules were further loosened.

ya.. thats it..my point..
if they showed that vista was not compromised, nobody would have believed the contest.
so, on the second day, after the mac exploit had made news... major news.!
also, notice how the name s of the manufacturers were used, so vista at one instant could avoid direct interpretation.. so the names used were macbook air, which obviously had to run os x or apple(ha!), and.. get this.. a sony vaio.not vista.vaio. so there was something going on there if you ask me.

Cut the crap. I have XP installed on my MBP which I use occasionally. It has no antivirus installed at all. And guess what? No viruses. None.

Delusional hyperbole does not help here.

okay.. u stitch the crap.. if u got no av installed.. how do u know there's no virus snootin in there somewhere.!!

 

[BongoBanger]

okay.. u stitch the crap.. if u got no av installed.. how do u know there's no virus snootin in there somewhere.!!

There are a number of sites that check your machine for you without having to install AV software. Pandasoft run one, for example.

 

[jazman]

You chicken littles keep reporting that the sky is falling for the Mac. I have NEVER, EVER, had a virus. EVER! And don't give me that 7% crap because there are more haters and trolls for the Mac than ever before.

 

[Evangelion]

okay.. u stitch the crap.. if u got no av installed.. how do u know there's no virus snootin in there somewhere.!!

How do you know there are no viruses in your OS X-system?

That said, how do I know? because

a) I have no problems (excluding the normal Windows-annoyances that is). Everything is running smoothly.

b) I don't install crap

c) I do occasionally check the processes that run on the machine, and I haven't found anything strange

d) Before this particular Windows-install, I did use antivirus with Windows. And I never ran in to viruses back then either.

 

[Jetson]

Despite the continual attempts to probe my Mac's ports, the Apple firewall seems to have kept out all intruders. Hooray!

Of course if someone managed to load a trojan that somehow disabled the firewall to some extent...

That's why I was concerned that some hacker claimed that Macs are the easiest to hack.

Hopefully we will here some kind of definitive response from Apple on this issue sometime soon.

 

[Kelmon]

You chicken littles keep reporting that the sky is falling for the Mac. I have NEVER, EVER, had a virus. EVER! And don't give me that 7% crap because there are more haters and trolls for the Mac than ever before.

Here's the thing. In 2006 there was that hoo-ha over the Blackhat conference when the MacBook was supposedly hacked. That was a farce and the exploit was generally shredded. This time, however, no one has suggested that the WebKit exploit isn't real. What this means is that while you do not have a virus now, don't bet against it in the future because clearly there are flaws open to exploitation. Whether the Mac is more or less secure than the competition really isn't important unless you are thinking of buying a new computer and are open to switching. What is important is that the Mac can not be perceived as being secure today as it was before this hack took place. And you should be taking this very seriously.

 

[chewy5000]

Except that Vista and Ubuntu were not hacked at all with default applications installed, even though people were trying all day after the Mac was hacked. The Vista laptop wasn't hacked until the third day (when they installed third party apps), and the Ubuntu laptop was never hacked.

And it's pretty trivial to get people to click on a random link. Either hack a legitimate site and replace a link on it with the link to the exploit code, or just post a link somewhere saying "free porn here".

Yet if Flash was a default app on vista, as safari is to leopard, it wouldd've fallen on day 2 as well.

 

[i.maverick]

So did about 20 other companies including Adobe whose product, like Microsoft's, was hacked.

What's your point exactly?

okay mr bongo.. my point is that do u know what percentage of the sponsorship came from microsoft and what % came from the others.?

 

[dsnort]

That was your explanation as to why the Linux-box was never hacked. On what are you basing that assumption on? Why couldn't it simply be that it's just more secure than Vista or OS X is?

I meant no attack against Linux. My coment was based on an article I read about the event where some one commented that some hackers had Linux exploits "in hand" but didn't feel it was worth the time to develop them.

I'm a little busy right now, but later today I'll find that article and post a link here.

okay mr bongo.. my point is that do u know what percentage of the sponsorship came from microsoft and what % came from the others.?

There's an old adage from TV detective shows about "follow the money". But I think you're following the wrong money.

It's not MS's sponsorship money, or the money the hacker won.

Think about the computer security industry as a whole. Where does it's money come from? What side of their bread is buttered?

 

[i.maverick]

It's nice to have almost $20 billion in cash laying around and not using it to hire more programmers.

more programmers don't mean squat. if it did, vista wouldn't be what it is even after SP1.
and they haven't committed a crime by earning that much.

 

[i.maverick]

How do you know there are no viruses in your OS X-system?

That said, how do I know? because

a) I have no problems (excluding the normal Windows-annoyances that is). Everything is running smoothly.

b) I don't install crap

c) I do occasionally check the processes that run on the machine, and I haven't found anything strange

d) Before this particular Windows-install, I did use antivirus with Windows. And I never ran in to viruses back then either.

i know as the millions of others know. but u, apparently, are one. also, why, exactly why did u not install vista though it now is more secure.Ha!

 

[BongoBanger]

okay mr bongo.. my point is that do u know what percentage of the sponsorship came from microsoft and what % came from the others.?

They're a prime sponsor along with about four other companies. Of course, that's totally irrelevant because MS sponsor a lot of events like this as it helps their team find vulnerabilities in their applications so they view it as a good thing.

On the other hand, Apple don't sponsor these events at all so you have to ask yourself what's better - sponsoring events that allow you to identify weaknesses so you can repair them and give increased security to your userbase or not bothering to look after their interests?

People who are claiming MS sponsor these events to discredit Apple are, frankly, silly because MS have been sponsoring similar events for years even when they ended up getting a right kicking out of them.

 

[Strigoi]

more programmers don't mean squat. if it did, vista wouldn't be what it is even after SP1.
and they haven't committed a crime by earning that much.

It proves once again that money can't get you everything.

That said, maybe the Pro hacker took the Apple / The Average Hacker the Windows and the rookie hacker the Linux? Who knows

All I know is, compared to windows, in everyday use Apple is more secure to daily virusses / trojans / spyware etc. Have a nice day everyone!

 

[Masquerade]

i very curios about the next apple tv ad!

 

[Evangelion]

i know as the millions of others know. but u, apparently, are one. also, why, exactly why did u not install vista though it now is more secure.Ha!

Because

a) Vista is a lot more expensive than XP is. Yes, I had to buy Windows at retail

b) Vista is crap, whereas XP is at least somewhat tolerable.

 

[Evangelion]

I meant no attack against Linux. My coment was based on an article I read about the event where some one commented that some hackers had Linux exploits "in hand" but didn't feel it was worth the time to develop them.

So, they had exploits ready to go, and they started thinking: "You know, we have two options right now. Either we spend few hours hacking in to that Linux-box, and earn money + a laptop. Or we go get a beer instead".

 

[3dmac]

Guys what up theres something more to it

why would anyone not want the linux laptop,I think they wanted the macbook air so they went to it first,heres the key they didn't want the vista laptop. They wanted the mac not vista or linux. the fact is I not any safer using email on a mac then on windows. Lesson watch what you click!!!!!!!

One last thing maybe they will fix it in 10.5.3.
_____________________

Proud owner of
Silver imac 20 in.
Ipod silver 1gb.

 

[aristobrat]

i very curios about the next apple tv ad!

Didn't Apple get hacked fairly quickly at last years event too? I don't recall the TV ads changing after that.

 

[Evangelion]

why would anyone not want the linux laptop,I think they wanted the macbook air so they went to it first,heres the key they didn't want the vista laptop. They wanted the mac not vista or linux. the fact is I not any safer using email on a mac then on crapy windows. Lesson watch what you click!!!!!!!

This has already been discussed.... If they wanted a MBA, the easiest and obvious answer would be to target the machine that is easiest to compromise. Why? Because the sooner they compromise it, the more money they get (plus they get the laptop). Had they targetted the Vista-machine, and compromising it was easy, they could have earned something like 20.000 bucks (I believe that was the reward for 1st-day success), and that money buys a lot of MacBooks. Instead, they now got 10.000 bucks and a MacBook. Yet you are basically claiming that 10.000 bucks + MacBook Air is better than 20.000 bucks + Vista-laptop?

Trying to claim that "Mac was hacked first because the hackers wanted to get a MBA" is disingenuous. It's not like MBA is a rare machine that is next to impossible to buy. Nor is it extraordinarily expensive. Hell, my MacBook Pro cost more than the standard MBA does!

 

[dsnort]

So, they had exploits ready to go, and they started thinking: "You know, we have two options right now. Either we spend few hours hacking in to that Linux-box, and earn money + a laptop. Or we go get a beer instead".

Actually, kind of yes. ( I said that the lack of interest was in part the reason Linux wasn't hacked.)

Here's the entire quote, emphasis mine:

"Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. "I was surprised that it didn't go," she said.

Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."

And a link to the article.
http://news.yahoo.com/s/pcworld/20080329/tc_pcworld/143962

 

[Evangelion]

Actually, kind of yes. ( I said that the lack of interest was in part the reason Linux wasn't hacked.)

Here's the entire quote, emphasis mine:

"Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. "I was surprised that it didn't go," she said.

Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."

And a link to the article.
http://news.yahoo.com/s/pcworld/20080329/tc_pcworld/143962

I find that really hard to believe. It sounds similar if I said "yeah, I could write a best-selling novel, but I just don't feel like doing it...."

 

[ra noodle]

ladirection and others

you've hit the nail on the head and so have others.....not as computer literate as a lot of you but i won't go higher than 10.4.11 i definitely am not going to get leopard nor ilife 08 or iwork 08 nor this time machine junk....there are a lot who are ready to attack anyone who criticizes Jobs etc but the FACT is a big hustle has been going on and you guys shouldn't have been so quick to buy leopard...i know a lot of you know how to get around and work with this and i wish i was as smart but tiger has never been any problem for me and so many are relating leopard problems, "08" problems, little things like including cords or stuff that now we have to pay for these are all the result of someone who has gotten a fat head and thinks he/they can con more and more...I bought the mac mini when it first came out and it was then that there were small signs that hustling was becoming more evident with the Mac product.....this guy needs to step back and realize that what goes up can also go down and the USA is heading into a depression and all this Mac stuff could go "poof" overnight....i'd make sure my bases are covered before i bought anymore Apple stuff of any kind until i see those at the top getting their act straight....funny thing is supporting cast and third party products are better than top management as far as satisfaction goes such as OWC, local Apple store etc....my two cents...

 

[compuguy1088]

It's important to note that he hacked Safari by taking advantage of an overflow bug in one of WebKit's JavaScript engine libraries. Since WebKit is open source, the vulnerability was logged and posted by Apple the same day it was discovered:

http://trac.webkit.org/projects/webkit/changeset/31388

This is hardly the end of the world.

Until Mac OS X becomes susceptible to in the wild malware and viruses, the "security ball" remains in Apple's court.

The bulk of Mac OS X's protection lies in the fact that in order to make changes to system files, you are required to enter your user name and password.

If you travel to questionable Web sites, click on questionable links and enter your security credentials to install questionable software — no amount of security will protect you.

Security is just as much about behavior as it is code.

As for Apple, they should respond to all discovered security vulnerabilities in a timely matter. There's no excuse for not patching a vulnerability if the information has been passed on to you.

You should also consider the source. These security firms were created to find vulnerabilities. That's where they make their money (or in this article's case — earn their public funding). They're not going to issue press releases touting a vendor's operating system's security.

The only problem with that is the fact that they have not fixed it in Safari yet. Just because it was fixed in webkit, does not mean that the vulnerability is gone from other webkit based browsers.

 

[i.maverick]

There's an old adage from TV detective shows about "follow the money". But I think you're following the wrong money.

It's not MS's sponsorship money, or the money the hacker won.

Think about the computer security industry as a whole. Where does it's money come from? What side of their bread is buttered?

and.. would you care to answer that..!!?