For now. But as our platform is getting more popular, it is not only getting more attention from the potential users....
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Set to Announce 20 Zero-Day Holes in Mac OS X
- Thread starter MacRumors
- Start date
- Sort by reaction score
For now. But as our platform is getting more popular, it is not only getting more attention from the potential users....
It updates itself. As far as performance, you won't even know it's there. These are not like the antivirus programs from years ago and today's machines are much faster.
That's good, but I guess I don't get your point? Are you saying that MS does a better job? Or that Windows is less secure, and needs more patches?
Which proves my point. Nobody cares about Macs is a stupid argument. Even if everyone and their grandma cared about hacking Macs it still wouldn't be as easy to break into as other OSes out there. The marketshare myth just annoys the hell out of me. OS 9 proves its smoke and mirrors.
This post has been painful to read, and I've been sitting here debating whether or not it's worth replying, as I'd basically be contributing to what I'm complaining about, and I'm incapable of being succinct.
But it's Friday, and who doesn't like a good internet argument on a Friday
First off, to those claiming that Charlie is an attention-whore, or trying to get a job at Apple:
Charlie is a huge fan of OS X. He's had to state this in pretty much every interview, because people seem to think that by pointing out security vulnerabilities with the Mac, that means he doesn't like it. He uses OS X, he likes OS X. He wrote a book about hacking OS X (with another security researcher) that's a really good read. It's not about poking fun at OS X, it's about wanting the system that you yourself use to be more secure.
Charlie makes his living (like many of us) as a security professional. We get paid to either break into companies or try and break products. As far as security professional's go, he's a very well-regarded one. He's not a fourteen year old kid in a basement writing irc-bots.
There is near-unanimous agreement in the security community (as unanimous as we ever get) that Apple's security posture is near the bottom of all vendors. That includes companies like Microsoft, and Cisco, and Adobe. This is based on years of working with them to get them to patch vulnerabilities. They are categorically the last to release patches when a vulnerability has been discovered, and their whole "veil of secrecy" that people here discuss ad naseum carries over into even this area. Things are promising, however, as they just hired someone to work in this capacity (someone most of us have a lot of respect for and consider to be a great hire). Time will tell if they get better about handling vulnerabilities.
The thing is, Microsoft (who historically was the punchline to any joke about vulnerability management), has been doing things right for about the past five years. This doesn't excuse the way they acted before that, and it doesn't mean that now Windows is magically vulnerability-free (although both Vista and 7 have been a marked improvement from XP), but they've gotten significantly better about handling vulnerabilities (and are now leaps and bounds better than Apple is).
The thing is though, Microsoft had to do this, as they represent a huge portion of installed systems, and are the biggest target. They were getting beaten up about their security (rightfully so) and it was to the point that it actually effected business.
The same is not true about Apple. The reality, is that they can be as bad as they are about security management because they don't yet have a reason not to be. We in the security community are all about security for the sake of security (it's a philosophical tenant), but that's not pragmatic. Companies only care about security if it effects their business (and I don't necessarily think that's a bad thing), and for Apple, it doesn't.
People keep talking about viruses on here, and to be honest, we haven't cared about viruses for almost ten years. Viruses eat up CPU cycles, and generate network traffic and are easy to detect in an environment that has even basic security monitoring.
Everything comes back to money. Viruses don't cost money anymore (not of the magnitude that we worry about). What does cost money is malware that hijacks online banking credentials, or grabs ssn's, or online gaming accounts, or acts as a way for an attacker to obtain sensitive corporate information. This past year the amount of money stolen from banks electronically was about 10 times the amount taken in actual physical robberies.
And attackers don't care how they obtain this information. We don't care about owning a box for the sake of owning it, we don't care about stealing passwords from a user unless that is a means to obtain what we're actually after. Honestly, we're after the money, and we'll spend large amounts of our own time and money if it means we can get more of it.
If that means developing exploits for OS X, then that's what we do. If it means just getting a user to visit a website, then we do that.
Excellent post. Its not like the 90s where virii was just a program to destroy its a multi billion dollar international business.
You don't understand though, its not that its not easy to break in, its just there is no need for it. Why break into 1000 macs when I can have 100000000 PC's. The object of these organized crime rings is numbers, not glory.
The reason there are no self propagating viruses is because of the way OS X, and all UNIX systems, are laid out. The basic user (that's you until you type your password in) has almost NO rights. Even if you downloaded and ran a virus, you'd have to authorize it as root for it to do anything more than deleting your documents. That's not what hackers want -- they want to use your machine to further spread their virus, and to use it as part of a botnet. They couldn't care less about your documents.
Windows Vista was a step in the right direction. It began to apply the same security, through.. whatever that annoying box is called. The only issue with that plan was this: EVERYTHING required administrator access. OS X had this since day one (well, 15 years before day one if you want to go back to nextstep) and few applications were written in this manner. This brings about a different type of user. Windows users: Sure, run that code. OS X Users: Wtf, don't let that code touch my shiznit.
Windows Vista was a step in the right direction. It began to apply the same security, through.. whatever that annoying box is called. The only issue with that plan was this: EVERYTHING required administrator access. OS X had this since day one (well, 15 years before day one if you want to go back to nextstep) and few applications were written in this manner. This brings about a different type of user. Windows users: Sure, run that code. OS X Users: Wtf, don't let that code touch my shiznit.
Spot on. It's why the pirated iWork and porn codec trojans were effective. You install it, you give it your password, because you went looking for it. You're borked. It's no different on any OS, and it's very difficult for an OS writer to protect against human stupidity.
Please do explain how the use of a crossover cable means anything? It's been awhile since I've had to use one, but back when I did it was only used so you could plug 2 computers together without the need of a hub or switch. I don't remember anything inherent in a cross over cable that suddenly bypassed anything.
Now, if your switch is blocking ports or traffic or you normally go through some sort of hardware firewall then connecting directly to the computer will of course bypass that, but it won't change the security measures on the computer itself.
Ding Ding Ding! Again the biggest virus is between the keyboard and chair. You give the user the keys to the kingdom... you can fill in the blank. I could easily Post a "Adobe CS4 Photoshop" torrent and use the creative XML install that comes with the enterprise version to install a hidden folder which contains an executable exploit. You think your installing Photoshop, well you are, and of course my little files as well.
And don't know. Why don't you ask Miller? I'm sure he would be happy to tell you =o
It still doesn't debunk the whole "it's more secure" thing. Market share is only part of it. Like I said. Its not just "People don't give a darn about Macs"
I don't know why people don't get it. OS 9 = perfect example of this. For the last time.
Why are these people even on this Boards?
I don´t care for Sky Diving so I never even browse their websites, let alone comment on them.
Go grab your XP machine and he happy with it and let us mac users be happy with our Macs.
I, for one, have been virus AND technical problems free for over 15 years using my long list of Macs.
This post has been painful to read, and I've been sitting here debating whether or not it's worth replying, as I'd basically be contributing to what I'm complaining about, and I'm incapable of being succinct.
But it's Friday, and who doesn't like a good internet argument on a Friday
First off, to those claiming that Charlie is an attention-whore, or trying to get a job at Apple:
Charlie is a huge fan of OS X. He's had to state this in pretty much every interview, because people seem to think that by pointing out security vulnerabilities with the Mac, that means he doesn't like it. He uses OS X, he likes OS X. He wrote a book about hacking OS X (with another security researcher) that's a really good read. It's not about poking fun at OS X, it's about wanting the system that you yourself use to be more secure.
Charlie makes his living (like many of us) as a security professional. We get paid to either break into companies or try and break products. As far as security professional's go, he's a very well-regarded one. He's not a fourteen year old kid in a basement writing irc-bots.
There is near-unanimous agreement in the security community (as unanimous as we ever get) that Apple's security posture is near the bottom of all vendors. That includes companies like Microsoft, and Cisco, and Adobe. This is based on years of working with them to get them to patch vulnerabilities. They are categorically the last to release patches when a vulnerability has been discovered, and their whole "veil of secrecy" that people here discuss ad naseum carries over into even this area. Things are promising, however, as they just hired someone to work in this capacity (someone most of us have a lot of respect for and consider to be a great hire). Time will tell if they get better about handling vulnerabilities.
The thing is, Microsoft (who historically was the punchline to any joke about vulnerability management), has been doing things right for about the past five years. This doesn't excuse the way they acted before that, and it doesn't mean that now Windows is magically vulnerability-free (although both Vista and 7 have been a marked improvement from XP), but they've gotten significantly better about handling vulnerabilities (and are now leaps and bounds better than Apple is).
The thing is though, Microsoft had to do this, as they represent a huge portion of installed systems, and are the biggest target. They were getting beaten up about their security (rightfully so) and it was to the point that it actually effected business.
The same is not true about Apple. The reality, is that they can be as bad as they are about security management because they don't yet have a reason not to be. We in the security community are all about security for the sake of security (it's a philosophical tenant), but that's not pragmatic. Companies only care about security if it effects their business (and I don't necessarily think that's a bad thing), and for Apple, it doesn't.
People keep talking about viruses on here, and to be honest, we haven't cared about viruses for almost ten years. Viruses eat up CPU cycles, and generate network traffic and are easy to detect in an environment that has even basic security monitoring.
Everything comes back to money. Viruses don't cost money anymore (not of the magnitude that we worry about). What does cost money is malware that hijacks online banking credentials, or grabs ssn's, or online gaming accounts, or acts as a way for an attacker to obtain sensitive corporate information. This past year the amount of money stolen from banks electronically was about 10 times the amount taken in actual physical robberies.
And attackers don't care how they obtain this information. We don't care about owning a box for the sake of owning it, we don't care about stealing passwords from a user unless that is a means to obtain what we're actually after. Honestly, we're after the money, and we'll spend large amounts of our own time and money if it means we can get more of it.
If that means developing exploits for OS X, then that's what we do. If it means just getting a user to visit a website, then we do that.
Great post. It's unfortunate that people still think Winnuke is the tool dejour. Frankly, no one gives a crap about attacking your PC unless they can control it and a million others like it.
Your not debunking anything you are just stating blubbering rubbish. Give some examples instead of just quoting other peoples comments and throwing in random opinions.
I am system admin at work and we have SEP11... Tell me about the pain we have to go everyday with Workstation that didn't update properly and have been quarantined from the network, false positive that generate, system that become ultra slow when doing the weekly scan etc.etc.etc...
I have seen how many people complaining that have installed symantech on OS X and crashed their OS at some point...
I m the kind of person that do not run anything that doesn't need to be run on my machine. I will not start to run an antivirus for people (PC Users) that don't
Well, I never said the successful hacker would go public with his real name. I'm sure there are ways to enjoy fame and notoriety online without giving away enough to get arrested.
Not saying you're wrong, but do you have proof that that's the only way his exploits worked? I'm really interested in security, and enjoy reading about this stuff.
This post has been painful to read, and I've been sitting here debating whether or not it's worth replying, as I'd basically be contributing to what I'm complaining about, and I'm incapable of being succinct.
But it's Friday, and who doesn't like a good internet argument on a Friday
First off, to those claiming that Charlie is an attention-whore, or trying to get a job at Apple:
Charlie is a huge fan of OS X. He's had to state this in pretty much every interview, because people seem to think that by pointing out security vulnerabilities with the Mac, that means he doesn't like it. He uses OS X, he likes OS X. He wrote a book about hacking OS X (with another security researcher) that's a really good read. It's not about poking fun at OS X, it's about wanting the system that you yourself use to be more secure.
Charlie makes his living (like many of us) as a security professional. We get paid to either break into companies or try and break products. As far as security professional's go, he's a very well-regarded one. He's not a fourteen year old kid in a basement writing irc-bots.
There is near-unanimous agreement in the security community (as unanimous as we ever get) that Apple's security posture is near the bottom of all vendors. That includes companies like Microsoft, and Cisco, and Adobe. This is based on years of working with them to get them to patch vulnerabilities. They are categorically the last to release patches when a vulnerability has been discovered, and their whole "veil of secrecy" that people here discuss ad naseum carries over into even this area. Things are promising, however, as they just hired someone to work in this capacity (someone most of us have a lot of respect for and consider to be a great hire). Time will tell if they get better about handling vulnerabilities.
The thing is, Microsoft (who historically was the punchline to any joke about vulnerability management), has been doing things right for about the past five years. This doesn't excuse the way they acted before that, and it doesn't mean that now Windows is magically vulnerability-free (although both Vista and 7 have been a marked improvement from XP), but they've gotten significantly better about handling vulnerabilities (and are now leaps and bounds better than Apple is).
The thing is though, Microsoft had to do this, as they represent a huge portion of installed systems, and are the biggest target. They were getting beaten up about their security (rightfully so) and it was to the point that it actually effected business.
The same is not true about Apple. The reality, is that they can be as bad as they are about security management because they don't yet have a reason not to be. We in the security community are all about security for the sake of security (it's a philosophical tenant), but that's not pragmatic. Companies only care about security if it effects their business (and I don't necessarily think that's a bad thing), and for Apple, it doesn't.
People keep talking about viruses on here, and to be honest, we haven't cared about viruses for almost ten years. Viruses eat up CPU cycles, and generate network traffic and are easy to detect in an environment that has even basic security monitoring.
Everything comes back to money. Viruses don't cost money anymore (not of the magnitude that we worry about). What does cost money is malware that hijacks online banking credentials, or grabs ssn's, or online gaming accounts, or acts as a way for an attacker to obtain sensitive corporate information. This past year the amount of money stolen from banks electronically was about 10 times the amount taken in actual physical robberies.
And attackers don't care how they obtain this information. We don't care about owning a box for the sake of owning it, we don't care about stealing passwords from a user unless that is a means to obtain what we're actually after. Honestly, we're after the money, and we'll spend large amounts of our own time and money if it means we can get more of it.
If that means developing exploits for OS X, then that's what we do. If it means just getting a user to visit a website, then we do that.
Awesome post, man. Absolutely what I try to warn people all the time about malware in general, both Windows and OS X users.
A mac is like living in a small gated community with gorgeous houses surrounded by a terrible neighborhood. Anyone can jump over those gates at some point.
I never claimed to debunk a darn thing. Prove to ME how OS X is less secure than Microsoft Windows. WITHOUT using "it has less marketshare"
Blubbering rubbish? How so? It's a fact. Get yours straight nummy num and come back then we'll talk. OK?
Random opinions? OK. Whatever you say. =/
I already did read a few posts up. I never once said OSX is less secure than Windows that would be a stupid statement. I said OSX isn't perfect. Read the posts I have made other than the ones responding to you. I've provided real life information... you have provided smilies XP
This showed up on this forums registration:
Important note: Do not pick an easy-to-guess password, such as your username or a dictionary word. We may change such passwords to prevent account hijacking. See Google's password tips.
-So if there needs to be a disclaimer to people, who are supposedly intelligent, about password tips....then I think it is fair to say that no
computer is completely safe from any attack, foreseeable, or unforeseeable. Humans are fallible and so are program writers.
-The huge amount of Government servers in operation use Microsoft software and they are probably the most attacked systems in the world.
-Which brings me to this point: We are small fish in a big pond. Being wise and cautious about what you open,view and download and where on the web you find it, is not only common sense but just overall Computing Sense. Regardless of which system you use, there should always be a sense of skepticism about claims manufactures make (i.e. TOYOTA).
Besides since we all can afford a 1000 dollar mac and their other high end tech gear we certainly can afford the 40bucks for a Anti virus software for our machines....COme On dont get cheap on me.
Check your credit to make sure no one has found **** you did not want to be exposed and use caution, like driving a car, you never know what someone else is gonna do on the road.
-Dad
-
Important note: Do not pick an easy-to-guess password, such as your username or a dictionary word. We may change such passwords to prevent account hijacking. See Google's password tips.
-So if there needs to be a disclaimer to people, who are supposedly intelligent, about password tips....then I think it is fair to say that no
computer is completely safe from any attack, foreseeable, or unforeseeable. Humans are fallible and so are program writers.
-The huge amount of Government servers in operation use Microsoft software and they are probably the most attacked systems in the world.
-Which brings me to this point: We are small fish in a big pond. Being wise and cautious about what you open,view and download and where on the web you find it, is not only common sense but just overall Computing Sense. Regardless of which system you use, there should always be a sense of skepticism about claims manufactures make (i.e. TOYOTA).
Besides since we all can afford a 1000 dollar mac and their other high end tech gear we certainly can afford the 40bucks for a Anti virus software for our machines....COme On dont get cheap on me.
Check your credit to make sure no one has found **** you did not want to be exposed and use caution, like driving a car, you never know what someone else is gonna do on the road.
-Dad
-