“A report by Agence Presse-France from this year’s DefCon hacker convention in Las Vegas centered on comments from security analyst Cameron Hotchkies. Hotchkies, who works with Zero Day Initiative to find and report security vulnerabilities in Apple software, gave a talk on Mac OS X hacking this past Saturday to a packed room. ‘There are a lot more people getting into it and really getting their hands dirty,’ he told AFP. ‘I’ve been seeing a lot of reverse engineering on the Apple platform,'” Chris Foresman reports for Ars Technica.
“The article goes on to ‘explain’ that an increase in Windows ports and iPhone jailbreaks are evidence that users should start to be worried about hackers and malware,” Foresman reports. “The truth is that increased scrutiny could lead hackers to target Mac OS X, but users jailbreaking an iPhone or a Windows developer porting poorly-written code to Mac OS X isn’t going to lead to rampant malware problems overnight. Users jailbreak iPhones to add software capabilities that aren’t approved by Apple; a bad Windows port is not likely to sell in very high numbers on a Mac.”
Full article, which also rightly reminds readers to be wary of social engineering (phishing and trojans), here.
MacDailyNews Take: Somehow this is “news” yet again, this time to Agence Presse-France. The same “report” has been published quarterly, at least, for the last half a decade. Yet, somehow, we Mac users manage to survive and surf the Web unimpeded on our Macs in the face of all of these “reports.”
In the full Agence Presse-France article, Glen Chapman reports, “Hackers have historically focused devious efforts on computers using Windows operating systems because the Microsoft software has more than 90 percent of the global market, promising evil-doers a wealth of targets. Macintosh computers have been gaining market share and catching the interest of hackers.”
That the Mac is secure via obscurity is a myth. Why, if obscurity means security, in April 2007 was there a virus for iPods running Linux (a few thousand devices total, at most, in all the world), but there are no viruses for the 30 million or so Mac OS X computers that are currently online? Hello? Bueller?
Uh, oh – logic is certainly not what AV software peddlers, Windows PC box assemblers, and the rest of the leeches stuck to the Windows ecosystem want people to hear. Fear is what they’re after. Increased Mac sales always result in increased anti-Mac FUD. It’s as sure as death and taxes. The sheep must be kept in the Windows pen, no matter the cost to reputations, reality, productivity, sanity, etc. Far too many have far too much invested in Microsoft Windows for them to stand idly by and let it all slip away due to a vastly superior solution from Apple. But slip away it does nonetheless.
The idea that Windows’ morass of security woes exists because more people use Windows and that Macs have no security problems because fewer people use Macs, is simply not true. By design, Mac OS X is simply more secure than Windows. Period. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.
“Security via Obscurity” is a defense mechanism for the delusional and also tool for Microsoft apologists and/or those who profit from Windows to keep the sheep in the pen. 30 million Mac OS X installs is not “obscure” at all, but seven (7) years of Mac users surfing the ‘Net unimpeded certainly is “secure.” Besides social engineering scams (phishing, trojans; no OS can instill common sense) the only thing by which Mac users are really affected are large swaths of compromised Windows machines slowing down the ‘Net with spam and nefarious botnet traffic targeted at exploiting even more insecure Windows boxes. Get a Mac.
Are the small handful of viruses that affected OS 9 (and earlier systems) still in circulation?
To the person who keeps trying to dismiss Daniel Eran’s article on the basis that he is supposedly an idiot, you are making a logical fallacy. You cannot, in an argument, simply dismiss something someone says based on your opinion of them or their possible motives. He may in fact be a moron or even be an Apple tool, but if what he says is correct, the onus is on you to discredit his ideas factually.
For example, Rush Limbaugh has been proven to be a hypocrite, a lazy researcher, and an admitted “water carrier” of the current administration, but knowing all of that no one can listen to his show and say that every utterance from his mouth is incorrect, because it’s not.
So get off your lazy ass, read the article, and discredit it where you can.
One additional piece of logic for you: It doesn’t matter why Mac OS X is free of malware, whether it’s through obscurity, better o.s. design, whatever, the FACT remains that there is only ONE (1) piece of malware in the wild for the Mac, a trojan which has to be actively downloaded and actively approved to run; therefore, OS X is safe and reliable to use with regard to malware. Those of us who use it and are also forced to use Windows, say, at work, prefer the stability, elegance, and functionality of OS X.
“So get off your lazy ass, read the article, and discredit it where you can.”
Unfortunately, you’re asking the impossible from this demented tool.
OFT (our fathead troll, who is now using a variety of anonymous names as he dare not reveal his true identity because the men in white coats are after him with a loony net) sez:
A pile of lame deceptive FUD. Nothing new.
That’s all this guy has to offer. Dull.
I personally like Eran a great deal and find him to be a terrific writer and satirist. If I were only as talented. But this is just opinion and OFT has the right to his own, no matter how ignorant.
What OFT has no right to is lying, misdirection, misleading and obfuscation. Thus I enjoy kicking his lame ass.
As I thoroughly documented above in the thread, the ‘hacked in 2 minutes’ Mac from this year’s CanSecWest was NOT hacked on the first day. No one even bothered to try. It is considered IMPOSSIBLE to hack into a Mac from the outside, period. Day 1 of the PWN2OWN contest represents REAL WORLD CIRCUMSTANCES where a hacker has to break into the computer all on his lonesome. He gets no help.
Day 2 of PWN2OWN changes the rules. On Day 2 the hacker is provided with a LUSER accomplice who deliberately seeks to get his computer hacked. Has this ever happened to you? I thought not. So everyone! You can completely ignore the dishonest inference by OFT that the ‘2 minute hack’ has ANY relevance to real life.
IRL, if you had a user who WANTED to get hacked, why the hell bother? If a hacker accomplice has access to an administrator’s account on a Mac, just install whatever malware you want! Obviously! Zombie the thing! Wipe the hard drive! Blow it up with dynamite! (Although blowing up PC boxes is much more satisfying
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
So why bother with Day 2 of PWN2OWN at all, considering its irrelevance IRL?! Because Day 2 is about providing evidence of a zero day vulnerability in the computer via Internet technology. And sadly, the Internet is not the safe place it was originally designed to be.
Social Engineering is all the rage these days as a method of luring and fooling LUSERS to go to a dangerous website and have nasty stuff done either to them personally, typically via identity theft as seen with phishing, or to their computer.
So to conclude: Day 2 of PWN2OWN and similar challenges to dig up zero day vulnerabilities are actually A GOOD THING!!!
The chances of some luser actually running into an Internet hack that uses a Mac vulnerability are extremely low. But every Mac user wants their machine to be 100% safe. Therefore, the more vulnerabilities revealed for Macs the better!
So I say:
I want PWN2OWN every single day of the year!
Bring on the hackers!
Let loose the Black Hats!
Embarrass the hell out of Apple over security vigilance!
Please!
We Mac users can only gain from the pain.
“I personally like Eran a great deal and find him to be a terrific writer and satirist.”
Previously you were just wearing a shirt saying fanboy. Now you’re wearing on which says I’m with stupid and a arrow pointing at your face.
“REAL WORLD CIRCUMSTANCES where a hacker…”
If by that you mean Real World Circumstances where the machine just sits there is not used for email and web browsing, then it doesn’t meet any definition of Real World Circumstances I’m aware of. Anyone can keep a machine safe by closing all ports and not using it for anything.Vista also survived under that that day’s rules so must be “As Secure” against those kinds of attacks.
The Day 2 Scenario is not simulating an insider helping, rather a typical user stumbling across a web page containing malware or receiving an emailed trojan.
The Mac went down first and to an Apple flaw.
To get Vista, they needed to relax the rules past what was needed to crack the Mac, and it went down to an Adobe flaw, not a Microsoft one.
“The chances of some luser actually running into an Internet hack that uses a Mac vulnerability are extremely low. “
Then you misunderstand how most attacks happen today. The Mac fanboy gets an email in his inbox, saying “Vista proven more secure than Mac OS X, Steve Jobs confirms findings”. Dizzy, confused and enraged he then clicks on the link to see if they have a feedback section where he can post how false this is. It takes him to the site which downloads the malware. The days of floppies and file infecting viruses are long gone. It’s almost all trojans and social engineering now.
MIA: derekcurrie’s snappy response proving how the fact that the Vista PC at canwest managed to survive one round further than the Mac, requiring the most relaxed set of rules to hack it proves beyond a doubt that Mac OS X is more secure than Vista.
Also missing: a link to supporting material from Daniel Eran proving that machines that require the most relaxed rules in hacking contests before they’re broken are without a doubt less secure than those whose security fails under the tighter rules.
It seems there’s only one ass here with bootprints on it, and the pocket protector on that person reads derekcurrie.
OFT (our fairie troll) sez:
“It seems there’s only one ass here with bootprints on it, and the pocket protector on that person reads derekcurrie.”
Derek laughs and laughs!
“MIA: derekcurrie’s snappy response proving how the fact that the Vista PC at canwest managed to survive one round further than the Mac…”
It’s nice to be wanted.
But again, the Vista machine was cracked under the same Day 2 rules. And again, the Day 2 rules, allowing the use of an accomplice luser, do not represent computing IRL. Zzzzzz
I’m starting a fan club.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
“Vista machine was cracked under the same Day 2 rules. And again, the Day 2 rules”
Sorry DC, The Mac was cracked under Day 2 rules which allow vendor software only. The Vista PC was cracked under the Day 3 rules which in addition to vendor supplied software allow 3rd party browser plug ins, and it was cracked through the Adobe Flash plug in.
Do you even have the most minimal understanding of what went on at canwest? Apparently not.
Who do you use as your source of information? Daniel Eran? Consider a better source.
Canwest: Canwest Global Communications Corp., operating under the corporate brand Canwest, is one of Canada’s largest international media companies. The company’s head office is situated in Winnipeg, Manitoba at Canwest Place.
CanSecWest: Annual conference held in Canada that focuses on newly emerging information security research, and topics such as auditing and penetration testing. CanSecWest/core05: May 4-6 in Vancouver.
And you keep repeating this ridiculous assertion that Mac users don’t use Safari in real life, and that a “Real Life” use of a Mac involves connecting it to the Internet and never using a browser or email.
What’s with that? You’re obviously using a browser to post here.
The Day 1 rules are tough, harder than Day 2 and Day 3 rules and all operating systems survived that day.
But Day2 rules are where the simulation of Real Life usage begins. Mac OS X failed the simple test. On Day 3 Vista failed the harder one.
Can you think of ANY real life use where you connect a Mac to the Internet but don’t enable any servers or use any clients?
As secure as you think your Mac to be, if you’re not planning to use the Internet connection for anything, wouldn’t you just save the money on the Internet connection and/or leave it unplugged for the best security?
But since derekcurrie is asserting that this is the only real world scenario, derek exactly what are you doing with the system when you have it set up like that?
Don’t answer “Posting to MDN” because we know the instant you do that you’re in a Day 2 usage scenario.
OFT (our foofy troll) sez:
“Sorry DC, The Mac was cracked under Day 2 rules which allow vendor software only. The Vista PC was cracked under the Day 3 rules…”
I’m so popular! Totally RadiKewl. See folks! THIS is how you get attention. Think of all the Google hits I’m generating. Ah, the spotlight of fame… (heehee). Seriously, no one is going to read this behemoth of a thread… except to read my stuff of course.
:-Q***********
Refusing to do your homework, as ever, poor little troll? I have a source for my information. What’s yours?
http://www.engadget.com/2008/03/29/linux-becomes-only-os-to-escape-pwn-2-own-unscathed/
Let me quote:
“the MacBook Air on display was seized in two minutes by the presumably well prepared Charlie Miller, and after two full days of work, Shane Macaulay and a few of his 1337 associates managed to crack the Vista rig on Friday. Reportedly, Shane and his pals weren’t expecting to do battle with the extra protected SP1 version of Vista, and while the exact loophole won’t be divulged, we are told that it was a cross-platform bug that “took advantage of Java to circumvent Vista’s security.” “
Conclusions:
– Both machines were PWND on Day 2.
– Charlie Miller et al. knew ahead of time what OS they would be cracking and had their zero day attack prepared ahead of time. Thus the 2 minute crack.
– Shane Macaulay et al. did NOT know what OS they would be cracking. They were expecting Vista without SP1. They had to discover, fresh that day, how to crack Vista with SP1. Thus it took them all day to do it. Nice work actually, all things considered.
– The crack of Vista has been speculated to be from yet-another Java flaw. But, yawn, again: Only the hackers, judges and OS developers know fur shur. Everyone is subject to a nondisclosure agreement.
But please. Do bore us some more OFT. This thread isn’t long enough.
Sorry, you’re not even close to right. The Mac was won on day 2, the Vista machine on day 3. The Vista team only won $5k and the machine because they relied on 3rd party software, not the pre-loaded software. The Mac guy walked away with $10k and the machine because he used only pre-loaded software.
See the rules:
http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008
And some commentary from the organizers, not some 3rd party interpretation:
http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up
These are some additional 3rd party commentary, as if that’s even needed to expose the obvious falsehoods you’re putting about.
http://blogs.zdnet.com/security/?p=988
http://blogs.zdnet.com/security/?p=993&tag=rbxccnbzd1
http://blogs.zdnet.com/security/?p=995&tag=rbxccnbzd1
Philosophical question of the day:
When derekcurrie finally realizes beyond any doubt that he was wrong about the circumstances under which the Mac was hacked, does he make a sound?
Does he accept the consequences of his actions and apologize for his mistake?
Or does he still keep tying to spin things?
Lets See:
Thank you OFT for documenting your claim. I think that is the first time you have actually bothered. Funny how you are willing to document FACTS that are on your side, but you never document LIES that are on your side. You just state them as if they were facts. Hmm. How is that?
Anyway, I entirely concede the issue! This is very kewl information and I regret that I used Engadget as my source. Their statement that it took two full days to crack Vista was not only misleading. It was wrong no matter how you look at it. I of course interpreted it to mean what is says: That the Vista was cracked during the second day of the event. But no, they meant two days into the start of Day 2, meaning that the event had gone into Day 3, which has further easement of the rules, as you documented. (Whether the faulty app was Adobe Flash remains uncertain, according to the rules that is).
>>Deep and humble bow<<
Apologies one and all for spreading inferior and wrong information. As you can imagine, I never do so intentionally. I never have. Ever. Google me! Seriously! Like fur shur and stuff!
Now, why can’t you, OFT, take off the mask THIS time to take credit for your superior information as I have taken credit for me error IRL? Is even that too scary for you? So you have to expect, under these cowardly circumstances, that I have nothing to offer you but back handed admiration.
On this issue you kept your troll attitude, sad to say. But you transcended the troll intellect. Good work! Gaining better, more factual information is always in everyone’s best interest, and I always admire it. Thank you.
Now, does OFT change his ways and try to emulate me and other honorable bletherers here at MDN, who stick to the facts as they are presented to him by his sources and sanely make their case, using their real names, before the public at large?
Let’s See:
.
.
.
.
HAHAHAHAHA!
Right.
Like that could happen.
Of course he won’t.
Bring on the lies you cowardly troll you!
We’re all ready to take you on.
This is so stupid folks. (o_0)
But I like fighting stupid. To me there is nothing more heinous that a human lie disguising itself as ‘truth’. And let’s face it, this is not a place for honest debate. When people can say any nonsense they like and get away with it anonymously, they will.
At least the astroturfers are paid to spread FUD and lies. It’s beyond pathetic for someone to persistently hang out in Mac forums and drool delusionary comments as some sorted of demented hobby or desperate cry for attention.
It’s known as Afib’s Syndrome.
“Funny how you are willing to document FACTS that are on your side, but you never document LIES that are on your side. “
Look derek, I’ve continually said what was right, and you’ve continually called me a liar and an idiot based on the “Facts” you supposedly had.
Now it seems we understand I was not trolling but continually correcting misinformation you were continually posting.
Now it would seem that OFT stands for One Fanboy’s Teacher.
Keep learning on the security side, if you get better you might even start to understand it. Who knows. One day, a long time from now, you could even know enough to write a blog on the subject.
Still ANONYMOUS, OFT sez:
“Keep learning on the security side, if you get better you might even start to understand it. Who knows. One day, a long time from now, you could even know enough to write a blog on the subject.”
That’s an inside joke. I already write a blog on the subject. OFT does not. He dare not. He also care not.
You must be a sad, little man.
derekcurrie:
I applaud you, sir. Your willingness to accept that you were wrong about that one little issue makes you an excellent human being. OFT, on the other hand, is still a puny person who won’t concede he’s wrong on virtually every other thing he wrote.
My very lengthy proof will folllow.
Part 1:
Derekcurrie and OFT:
I’ve been following your “debate” for the past few days, and derekcurrie comes out on top. Here’s why:
1. Claim of the number of vulnerabilities as a measure of security.
OFT (for want of a better name, since the person or persons trolling this thread refuse to use a name we can call him) began the debate with this:
“Apple still takes a staggering 13 times longer than Microsoft to patch vulnerabilities and had 214 critical vulnerabilities in the last 6 months of 2007 vs Vista’s 22. That’s nearly ten times as many.”
This is undocumented and my own research was unable to verify these statistics. In fact, I did find this article http://blogs.zdnet.com/security/?p=758 which points out there were in fact 234 OS X vulnerabilities compared with 23 for Windows and Vista combined. OFT failed to document the source and to get the numbers right.
Furthermore, it is illogical to use this old data because vulnerabilities, once discovered, tend to be patched. OFT, how many of those vulnerabilities have been patched? How many still exist yet to be found in each OS? It is now August 2008 and if researchers were to go in right now and search both operating systems, how many vulnerabilities would they find? You can’t predict those numbers based on past performance. It may be that OS X had just 250 in total while Windows XP/Vista do, also, and the vast majority of theirs are yet to be discovered or worse, since Windows is a closed system while OS X is largely, but not entirely, open source, Microsoft may be sitting on untold vulnerabilities the public doesn’t know about.
OFT also failed to dig deeper and discover that Apple had actually delivered MORE patches in the six year period leading up to March 2008 according to Daniel Eran here: http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/ . Eran actually READ the IDG study the numbers are based on, and points out that while Apple is sometimes slower to patch a vulnerability, Apple “exceeded Microsoft in the number of security patches it has issued over the last six years, delivering 815 patches to Microsoft’s 678. That’s despite the fact that Microsoft serves more customers with greater security problems, more avenues for exploit, and infinitely more real world losses due to security issues.”
Oh, but OFT refused to read Eran’s articles because Eran, according to OFT, is an idiot. I pointed out in an earlier post that this is a logical fallacy; one cannot simply deny the veracity of someone’s statements based on one’s opinion of them or their possible motives. OFT failed to read the articles and respond to them.
Part 2:
2 “What’s clear is that Mac OS X is a holy as a piece of swiss cheese, but nobody can be bothered attacking it.”
OFT made this false claim and was wholly unable to substantiate it with facts and attempted to do so with faulty logic.
I’m not an expert in Unix but John Gruber is. He pointed out here: http://daringfireball.net/2004/06/broken_windows
“One difference between Mac OS X and Windows, however, is that Mac OS X doesn’t offer nearly as many places for nefarious software to hide. A major aspect to the scourge of crapware is that it’s extraordinarily difficult to find and remove it. This isn’t just about “typical” users; even expert Windows users get hit by crapware and can’t figure out how to get rid of it.
“Even if you ended up with piece of crapware installed, there simply aren’t that many places where it could hide. Assuming the crapware needs to launch itself automatically, it’s either going to be installed in one of the various /Library sub-folders, or it has to be listed in your user account’s Startup Items in the Accounts panel of System Preferences.”
That doesn’t sound like a “holy (sic) piece of swiss cheese” to me. Daniel Eran goes further: “Security researchers like Charlie Miller, who correctly point out that there are Mac exploits to patch, fail to also recognize that exploits are only part of the malware problem. An exploit can plant a malware seed, but without a Windows Registry to nurture it and wide open ports and poorly implemented network protocols to spread it, any potential Mac malware can be easily uprooted before it ever matures. That serves to make planting Mac malware an unworkable business: there’s never a harvest. http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/
The number of vulnerabilities doesn’t matter; what matters is what could be done with them if they were exploited.
3. The case that viruses affecting older versions of an o.s. count.
OFT argued: “So BSD Unix, As still used on the Mac today, is the original proof of concept platform for Internet Worms.” When it was pointed out to him by derekcurrie that OS X is based on Free BSD and Open BSD, OFT countered with “Yet nevertheless you fanboys claim this great Secure Unix Legacy. But then you quickly admit that claiming that Unix always had great security is a false and a silly idea.” This is not a refutation, it’s an accusation. Derekcurrie’s point stands. (Furthermore, OFT made exactly the same claim later, arguing “Can you really count pre NT operating systems in the list because, there Microsoft made no pretense that security was a goal.. To get the equivalent root, all you had to do was sit down at the system.” So, OFT, do they count, or don’t they? Answer your own question.
By the way, when a Mac was hacked at CanSecWest, the hacker was able to sit at and use the computer. Any time anyone gets physical access to a computer, of course they can pwn it, as you just pointed out above. That doesn’t mean the o.s. is full of holes. Different thing.
So, OFT, unless you can directly refute my points, and those of derekcurrie, Daniel Eran, and John Gruber, you need to admit that OS X is, in fact, secure relative to other operating systems available and a good choice for the common person looking for an operating system. Your (and others’) assertion that it is only safe because it is obscure is bogus and is thoroughly dissected in the posts I, and others, linked to. OS X is safe by design. Period.