As you surely know by now, the CanSecWest conference was the stage for a contest, PWN to OWN. Three laptops were set up; laptops running Windows Vista, Ubuntu Linux, and Mac OS X. The goal was to hack the computer and read the contents of a file located on each of the machines, using a 0day code execution vulnerability. During the first day, you can only attack the machine over the network, without physical access. On the second day, user interaction comes into play (visiting a website, opening an email). On the third and final day, third-party applications are added to the mix. Each machine had the same cash prize on its head. As you all know, the Mac was hacked first, on day two. The user only had to visit a website, and the Mac was hacked. Vista got hacked on the third day using a security hole in Adobe’s Flash, and the Ubuntu machine did not get hacked at all. Update: Roughly Drafted responds. This of course resulted in the usual flurry of internet attention, and OSAlert, too, paid attention to the whole thing. I tried to be as complete as possible in the OSAlert blurb, trying hard to shove all the relevant details into the limited space of an OSAlert item. This morning, someone submitted a link to an article on Roughly Drafted, a Mac and Apple website that gets considerable attention on especially Apple-centric websites. They published an article on the whole PWN to OWN contest, titled “Mac Shot First: 10 Reasons Why CanSecWest Targets Apple“. This article is filled with so many factual errors and other forms of misinformation that I felt obliged to add some nuance to the mix. I will touch on each of the ten reasons, following the original article’s order. 1. “Exploits discovered for the Mac have little other value outside of contests like CanSecWest.” This is the only one of the ten reasons which has a solid base in reality, and actually makes sense. Indeed, there is little market (at his point in time) for selling exploits for the Mac, simply because the Apple user base is still too small to be of significant use to malware creators. This is no rocket science; malware creators are after easy profit, and attacking 90% of the market makes more sense than attacking 5% of the market. However, this does not mean that the exploit used to win the contest is of any less relevance. It is still a security hole, and it needs to be fixed. The details of the exploit have been forwarded to Apple, without making them public, allowing Apple to fix the issue. Therefore, this exploit will most likely not affect the real-world security of Mac OS X – but the theoretical security has been severely compromised, which is not something to sneeze at. 2. “The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms.” Here, we see a major case of what I usually refer to as the “black helicopter factor”, more commonly known as conspiracy thinking. Roughly Drafted tries to imply that the people behind the CanSecWest conference (or the contest itself) are somehow anti-Apple, pro-Microsoft, but delivers no actual proof that this is really the case. I am not really sure why they detail Microsoft’s “Get the facts” debacle, as it is of no relevance at all. Here, Roughly Drafted also tries to imply as if CanSecWest “announced that Macs are less secure than Windows” – which is a curious way of putting things. If you look at the original announcement of the winner, you will see that no such claim is being made. The final wrap-up article on the contest does not make any such claims either. In other words, Roughly Drafted is clearly spreading misinformation to discredit CanSecWest. 3. “The contest prominently focused attention on the brand name of the MacBook Air.” Roughly Drafted claims that only the MacBook Air was mentioned by name, while the other laptops remained unnamed, without any details on what brand they were. According to Roughly Drafted, this would have resulted in “the most sensational headline payload possible”. This is, again, a case of misinformation, as the contest’s rules page clearly states the brand and types of laptops used (“VAIO VGN-TZ37CN running Ubuntu 7.10, Fujitsu U810 running Vista Ultimate SP1, MacBook Air running OSX 10.5.2”). 4. “The Mac exploit was something Charlie Miller had in hand when he arrived.” This one baffles me a bit. Of course he had it in mind! This is an irrelevant remark, as the exact same thing went for people wanting to attack and win the Vista or Ubuntu laptop and their associated sacks of money. This is the whole goal of the contest: to find new and unknown exploits, and deliver them to the relevant companies so they can fix them before they do any real damage – responsible disclosure. If I partake in a squash match, am I not allowed to practice and study my opponent before taking him or her on? 5. “The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan.” The first service pack to Windows Vista (that would be SP1) was released into the wild on 18 March of this year. The contest rules clearly state that the laptops would run “the most up to date and patched installations” of the three operating systems. If the researcher who cracked the Vista machine was surprised by seeing SP1 on the machine, he simply did not read the rules very well, or he simply does not keep up with the news. Roughly Drafted goes on and says the Vista laptop “only reflects the state of Vista for users who have elected to install SP1”, and not of users throughout 2007. So, where is the cut-off point? Safari 3.1, with a whole batch of security fixes, was released a few days after Vista SP1. Should it have been excluded? Since it does not properly reflect the state of Safari in 2007? This is why basically always the baseline for these types of tests and comparisons is latest versions, fully updated, fully patched. This creates a level playing field for all the platforms, and everyone participating in the contest can know what to expect. 6. “Miller reported hacking something related to Safari, but the details haven’t been revealed.” Safari is a default part of Mac OS X, and is, as such, a possible attack vector, in the exact same way that Ubuntu has Firefox, and Vista has Internet Explorer 7. A chain is only as strong as its weakest link, and if that weakest link is the browser, than the operating system has an insecurity. There was still a remote code execution and privilege escalation, and whether this is done through the kernel, Safari, or the folder icon’s 56th pixel in the 15th row is completely irrelevant. Many of the big security threats to Windows XP were related to Internet Explorer and/or Outlook Express, does this make them any less severe or relevant? In an update to the article, Roughly Drafted states that John Gruber claims the weakest link was a library used by WebKit’s JavaScript engine, which has already been fixed by the WebKit team. According to Roughly Drafted, “this suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux”. Again, something about a chain and weak links? Apple is responsible for the code it decides to ship with its OS, and for the speed with which they incorporate patches from the original developers into their trees. If Apple fails here, it is Apple’s fault. 7. “Attendees with the ability to crack Linux ‘didn’t want to put the work into developing the exploit code that would be required to win the contest’, according to [an] IDG article.” Roughly Drafted continues: “Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn USD 10000 at a contest when they might be able to sell their vulnerability discovery for more than that.” Firstly, Roughly Drafted contradicts itself here. They stated that exploits for Macs were not used by malware creators in the wild because the Mac’s userbase is too small, and now they claim that an exploit for a home operating system whose userbase is probably even smaller can be sold for a lot of cash? In their hurry to discredit Ubuntu, they contradicted themselves quite severely. However, this is not the biggest problem with reason #7. The biggest problem is that they grossly misquote the original IDG article they say to have taken the quote from. This is what the article actually says: “Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. “I was surprised that it didn’t go,” she said. Some of the show’s 400 attendees had found bugs in the Linux operating system, she said, but many of them didn’t want to put the work into developing the exploit code that would be required to win the contest.” There is nothing on political motivation, nothing on selling exploits, nothing at all. All we have here is an highly anecdotal piece of evidence that “several attendees” had found bugs in Ubuntu, but that none of them wanted to “put the work into developing exploit code”. This statement is not backed up by any evidence, or interviews with any of these “several attendees”. 8. “Many exploits and vulnerabilities are not unique to ‘Mac, Windows, or Linux’, but instead are cross platform threats.” This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit. Ubuntu does not ship with WebKit. Mac OS X does ship with WebKit. As such, this exploit is not cross-platform at all. It will only become cross-platform (possibly!) when you install Safari on Windows, or Konqueror on Ubuntu. This defeats the purpose of the contest rules on day two, which clearly stated only default installations were used (third party applications were added to the mix on day three). Even if this was a cross-platform exploit, the reasoning is weak. This is actually a dressed up case of “but they are doing it too!” reasoning, usually employed by young kids trying to get stuff from their parents. But mom, Timmy gets two cookies with his milk, and I only one. I should get two cookies too because Timmy gets two too! The fact that an exploit exists on Windows does not absolve Mac OS X (or any other operating system) from its responsibilities. Exploitable on other operating systems or not, it is still and exploit on your platform. 9. “Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms.” Roughly Drafted claims that the fact that Miller exploited outdated FOSS code in Mac OS X says more about his “knowledge, expertise, and motivations” than it does about Mac OS X, Windows, and Linux. They state that somehow, Miller had it easy because he is a security expert, who only had to battle with “non-motivated colleagues on Windows who have sold their exploits to spammers” and “Linux expert colleagues who have no interest in trying to make FOSS look bad”. Let’s start with the Linux guys. Linux developers make FOSS look bad all the time. Try and load up the kernel’s bug database, follow the kernel’s mailing list. Read Ubuntu’s LaunchPad, GNOME’s Bugzilla. They are filled with Linux experts making FOSS look really, really bad by reporting bugs and security threats. In addition, I have a hard time believing the numerous Linux experts out there are not interested in 20000, 10000, or 5000 USD. As for the Windows guys, the proceedings of the contest severely contradict Roughly Drafted’s assumptions. If the Windows guys are indeed only interested in selling their exploits for huge profits to spammers, then why did Vista get hacked on the third day, for a relatively mere 5000 USD, using an exploit in Flash, which is installed on just about any machine out there? A major security hole in Flash, installed on so many Windows boxes, would be worth a lot of money according to Roughly Drafted’s reasoning – yet, the Windows guys decided to only score 5000 USD with it. 10. “Apple’s use of open source makes it easier for researchers like Miller to identify exploits.” This is not true. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X. Even though Roughly Drafted points out, rightly so, that Apple needs a lot of testing before releasing patches, this still does not negate the fact that this leaves known attack vectors open, adding insecurity to Mac OS X – and allowing smart people like Miller to win lots of money. Apple includes open source software because it means they have to hire less people to write software for them, which, logically, cuts costs. However, this also presents new problems for Apple, including one of security. Structural security problems like this might be beyond Apple’s control, but that does not mean the security threats posed are any less severe or relevant than security exploits in Windows. Conclusion The reason I decided to write this rebuttal was not to discredit Apple, or because I have been paid by Canonical or Microsoft. The reason I wrote it is because the article contains an unrivaled wealth of misinformation, some things even bordering on slander, trying to attack the credibility of CanSecWest and its organisers. Apple does not need a ‘Get the facts’ campaign with websites like Roughly Drafted ready to do it for them. Usually I ignore articles like this, but when they contain easily rebuttable misinformation and slander, I see it as my obligation to counter them, especially seeing how many in Mac-centric circles refer to Roughly Drafted as a reputable source. And trust me – this is just one example of the types of misinformation-laden articles on Roughly Drafted. Do with it as you please.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSAlert.
It’s all just a load of hot air after all. So yeah, some vulnerability has been found. They find them every day, in Linux, in Windows, in OSX. Just read any change log. Let’s talk when there’s some actual harm being done to Mac users. If we ever get to that point of course. He’s right in saying that Windows has been a plague for the whole computing world and he’s also right in saying the media really wants you to believe that somehow down is the new up.
Surely you can have a sterile environment that compares Vista to Mac OSX, but in reality there are way too many users who still use unpatched Windows XP/2000/98 installations and that still counts. While on the other hand Mac users tend to migrate to newer versions of the OS quite faster. It’s what happens in the real world that matters. The fact that somebody has found a vulnerability won’t change anything.
Had “in hand” implies that the hacker had something already tested and waiting. It’s saying he cheated.
Has in mind means he had some idea where to look and what to look for, as they all should’ve, being hackers.
*Edit* I was trying to reply to the maim article. Drat !
Edited 2008-03-30 22:36 UTC
Of course, the fact that you replied to the first comment also means that you become the second comment get a far higher number of readers.
But I’m sure that never crossed your mind.
O.K. First things first. I was not supposed to use a computer this weekend, But I got an call that required an email. And while I was here…
The most effective and pure *simple* technique to secure OS X, is to not be logged in as an admin, or even any member of the ‘admin group’. I own my Mac, I use the BSD Style ‘ladmin’ account and then a complex password. And then I avoid using that account for just about anything.
The Behavior is EXACTLY the same as when I need ‘admin’ access I type up both my admin name and password.
It is not common practice on a Mac, but I sincerely hope that we in the Mac community start to act right. It is hard to imagine a day when we are as bad off on OS X as we are ‘generally’ in Win XP but that doen not mean that I need to be logged in for admin purposes
Mac OS X uses the sudo concept just like Ubuntu does, if I’m correct. On OS X, I ‘turn that off’ and use a limited account (because I’m able to remember two passwords in stead of just one ), but it’s the same default as Ubuntu’s.
I tend to keep sudo, but use a limited account with no sudo rights. Getting root access involves sudo adminUser (adminuser password), sudo -i (addminuser password). I get the benefits of having no root password as given by sudo, while running as what I’d actually consider a limited user.
Edited 2008-03-30 21:53 UTC
Back on the Topic securing it is easy, falling for this hack would be hard
Yup that confounded me a little at first too. As the first time I tried to sudo from a non-admin account I was given a terse security warning. Then I thought it through and had to nest one sudo inside of another. Well in the end I find few reasons (outside of work — where I am the Mac systems admin for all north American Macs for a publishing co.) Outside of banging on some naughty or inefficient code that I wrote I find very little practical reason to drop to the CLI
And also aside from reputable installers from respectable vendors I am very rarely asked to enter my admin name and password.
So If I am at a web page and it asks me to enter my local admin name AND then my password. AND then I enter it was I really hacked?
Social engineering is a useful tool in the world of crackers. So yes, you were hacked, but in this case it literally was *YOU* who was hacked.
I think its worth pointing out that on Ubuntu only the first user account created is, by default, a sudoer and this privillage can easily be removed and added to another account.
System->Administration->Users and Groups, Select user and click properties, Click the user privilages tab and add/remove “Administer the system”. You can of course just edit the sudoers file as well.
If I’m not mistaken, the cracker keeps the computer, right? If that is so, the MacBook Air was the first computer to be compromised because everyone wanted it. Nobody is interested in a VAIO VGN-TZ37CN.
The CD-ROM attack vector? Totally sealed off.
Nonsense. I would much rather have a Vaio than the a Macbook Air. Despite design undoubtly being a major selling point of Macbook Air, I’m not even sure if it looks better than Vaio? Besides, MacBook Air lacks many features that I would like my laptop to have.
Edited 2008-03-30 21:54 UTC
Nonsense. I would much rather have a Vaio than the a Macbook Air. Despite design undoubtly being a major selling point of Macbook Air, I’m not even sure if it looks better than Vaio? Besides, MacBook Air lacks many features that I would like my laptop to have.
Me too, really. MacBook Air looks good but the Vaio just suits me a whole lot better Had I had the skills to hack my way into the Vaio machine it would already be mine
So, it’s a Viao. You’re still stuck with an OS-limited machine that can only Windows or Linux, NOT Mac OS X.
A MacBook Air can run pretty much any Intel-compatible OS.
That’s assuming Mac OS X would be a big deciding factor for the individual. One can want a Viao laptop and not feel even in the slightest a loss of freedom by not being able to run OS X. Contra to the hype out there, not everyone is tripping over themselves to get a machine running OS X.
What about 10,000$? (the other part of the prize)
Edited 2008-03-30 22:42 UTC
Same. I’d pick the Vaio over any mac. I like the design of the macs but I don’t like to be locked to one particular piece of hardware. But I’ve always had a soft-spot for Sony gear.
Edited 2008-03-30 23:21 UTC
The facts that each of the 3 machines was accompanied by its own cash prize, that the contest continued after the Mac was cracked but neither of the other 2 machines was compromised on the second day, and that $10,000 buys you 5 MacBook Airs, pretty much invalidates any argument that the Mac was only cracked so fast because the laptop was such an aluring target.
I know Artie MacStrawman considers Roughly Drafted as a reputable source but I don’t know anyone else who does
At least he’s not a troll. Well, most of the time. Whereas I have a hard time remembering an article by Thom which wasn’t biased to the gills. Why do you think he feels the need to constantly remind us “I’m not being payed by anybody to say this stuff!”
Oh the hell with it. I had just come back to OSAlert after a month, read the news for a few days, then suddenly I’m being reminded why I stopped coming here and deleted it from the newsreader. I guess I was asking for it.
But since I’m here now, I’d like to point out how Thom ebarasses himself.
1. simply because the Apple user base is still too small to be of significant use to malware creators
That’s not what Daniel said (and Thom uses this argument not once, but twice). He never mentioned the size of the user base as a factor. He said “Once discovered, Mac exploits are patched within a few weeks”. That’s why such an exploit is only of theoretical value, not because of the size of anybody’s dick.
2. If you look at the original announcement of the winner, you will see that no such claim is being made
Yeah, ’cause that’s what people around the world will be reading, an obscure blog entry. Want me to remind you what links were given right here on OSAlert and what most people read? Techworld, IDG, Computerworld. And it’s no secret Microsoft has been publishing FUD in its pet rags to discredit any real competition. Excuse Daniel to saying that it looks as if CanSecWest was doing the same.
3. the contest’s rules page clearly states the brand and types of laptops used
Again, the magazine articles do not.
4. Of course he had it in mind!
“In hand”. Not mind, hand. “In mind” means something he’d have to try and see if it worked. “In hand” means he knew exactly what he was doing and how it was gonna go. This wasn’t a random thing an off-the-street hacker might try. It was a security expert going for the kill.
5. Roughly Drafted goes on and says the Vista laptop “only reflects the state of Vista for users who have elected to install SP1”, and not of users throughout 2007. So, where is the cut-off point?
The real cut-off point is out there, in the wild. And out there, SP1 didn’t make it very far as of yet. That’s where exploits like the one that didn’t work for that guy WILL work. And given the large user base you so fondly mention so often, it will have a much larger practical impact than a bug in a Safari lib which was already patched by now AND will be deployed to most users very soon.
You’re so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSAlert. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points.
6. If Apple fails here, it is Apple’s fault.
Yes, granted. But they fix their mistakes (within days). And they have a deployment model that actually takes those fixes to the users. No software is perfect. It will have bugs. It’s in how the maker handles the bugs where you get to see how good they are.
7. they grossly misquote the original IDG article
No, he quoted it perfectly, word for word. The interpretation, however, is his. Can you tell the difference between a quote and a comment?
8. This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit.
He was talking about Flash. Pay attention. Very often a vulnerability in a cross-platform application is used by trolls (such as yourself) in order to use against Linux or OS X. They use anything they can find. Doesn’t matter if they’re web applications, web servers or multi-platform browser plugins that could just as well be used on any platform (hence the “cross-platform” term), right?
9. Linux developers make FOSS look bad all the time.
No, they make it look GOOD. Reporting bugs and fixing them is GOOD. Hiding bugs and selling them to an underworld market which is flourishing because Windows security stinks is BAD.
Furthermore, for a person who contributes to FOSS, joining a contest such as this for money is beneath them. When you do things that you like with other likeminded people and you fix bugs routinely because you want the software you like to be better and because that’s what good security is, well, becoming a sensationalist whore kinda starts to lose its appeal, you know?
10. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X.
Woosh. The point went right over your head. It being that since it’s open source, one can look right at the code and find bugs. Again, no software is perfect.
Apple may lag when integrating patches from outside projects (duh, they have to check it thoroughly otherwise someone will bitch how bad their products are), but that’s not what the point was. You completely turned it around on its head (good troll! have a cookie.) It’s not about how often or quick Apple fixes the code. It’s about the code being exposed. My offer to draw a picture still stands.
That’s it. The hell with this. I must’ve been cracked in the head to come back voluntarily to Thom’s trolling when there’s 50 decent news sites out there I can read.
Thanks for the clear-headedness.
Where are these news sites that cover multiple OSes?
I have found many that are worse than OSAlert, with poor reporting, lack of facts and lots of mis-quotes.
I have found a few that are as interesting to read as OSAlert, usually however they only cover one type of OS (Linux, Mac, Haiku).
I have never seen seen any that have better reporting than OSAlert without them also trying to blog me down with Ads, Ads, Ads.
And again outside the single OS news sites, I never learn as much from the comments as I learn here.
Please tell who these so-called better sites are, because I can’t seem to find them.
ArsTechnica?
You have to be kidding!
Slow, I am still waiting for the home page as I type this.
Ads, not too bad as they are on the side like OSAlert.
But articles are spread in short sections across multiple pages which are far smaller than found on OSAlert.
And I see no lack of fan-boys in the forums either.
How is it better?
The quality of the articles are definitely a lot better. They have much better original content, stuff by Jon Siracusa, Jon “Hannibal” Stokes, et al are just far better than anything that has appeared on OSAlert. Unlike OSAlert, they do not just link to articles that others have written, they write their own.
I read arstechnica for the content while I usually browse OSAlert for the drama.
Under the “Full Story” link for pretty much any of the Ars frontpage articles, there’s usually another 4-800 words.
Depth of the articles, knowledge level of the editors, general quality of the writing, etc.
Don’t get me wrong – I like OSAlert for the breadth of content that’s posted here, and it is more of a news aggregate than an new site per-se (while Ars is more of a news aggregate-with-commentary. Generally, I head to OSAlert to get an overview of the headlines – but I prefer Ars when it comes to analysis of particular topics.
I actually agree with this one. I’d love OSAlert to go into the same depth as Ars generally does, but sadly, this is simply not possible for now (time constraints, mostly).
Oh yeah – Ars needs 8-10 regular editors to get that kind of content. I imagine the OSAlert updates are time-consuming enough as is.
I didn’t want to go quite as far, but this comment reflects a lot of what I was thinking.
First of all, why is OSAlert, read by tons of people, “lowering” itself to the level of some Apple fanboy site? This article shouldn’t be more than a comment on the crappy site it’s reporting on (and if they don’t allow comments, it’s not worth responding to anyway).
Second, it is true that the contest has arbitrary enough rules that it’s not a real demonstration of system security, it’s simply an interesting and almost useless data point (this coming from a HUGE Linux geek, whose favorite OS “won” the contest).
Third, it takes a very special kind of site for the comments to be more even handed and intelligent than the “articles” themselves, esp. in a world with YouTube and MySpace . Congratulations OSAlert! At least there are occasional links to useful content (and it’s rarely annoying enough to make me want to actually respond like today).
– Andrew (who uses a Mac, but only really loves Linux. who will also be leaving OSAlert in his RSS reader for some time)
“You’re so bent on proving your points (like a good troll that you are) that you ignore the bigger points Daniel makes, and that damages OSAlert. He goes on to mention that the security model and ecosystem of Windows are deeply flawed, unlike Linux or OS X. But do you care about the bigger picture? No, you want petty victories over obsessive little points.”
Agree. Often when Thom writes these kinds of pieces, he will claim that some argument is wrong, and then attack some obscure, non-critical phrase or point made in the argument, completely butchering the larger idea. Even in cases like this where I have no strong opinion on the subject matter, it’s still really really frustrating to see.
http://en.wikipedia.org/wiki/Argument_from_fallacy
Edited 2008-03-31 03:34 UTC
I’m usually not a fan of these type of anti-Thom comments, (if they aren’t trolling they’re not far off) but I have to say, well put.
I’m a fan of Linux as much as I’m a fan of OS X, but honestly, “hacking the Mac” is headline news whereas “exploit for some piece of software on Linux which will be patched in under 30 minutes” isn’t, and that’s the driving force behind this whole kind of security event.
Otherwise known as “being hosted by one’s own petard.”
Yes, no question whatsoever that some sinister motive is at play.
I mean, it’s not as if Google returns 32 pages of results for “shill site:osnews.com”.
While I use to read OSAlert very often, I’m replying to this post only because Apple fanboys get very nervous when their faith gets skratched. While someone can obiouvsly be a fanboy of whatever he/she wants, keeping an objective point of view helps in life…
Should that be a valid argument? Thom wrote that CanSecWest didn’t claim what RD reported and I’m glad that you agree about this. Then people write what they wish and headlines gets written to capture readers’ attention. But anyway, how’s that different from what really happened? If rules are fair, they got accepted and they’re valid for all systems, you can say MacOS was the weakest of three systems. The “whys” and “wheres” matter for Apple fanboys to tell to each other how much the World hates them…
That’s a laughable reply to a solid argument. Again, World hates Macs because they’re… uh? Please…
LOL! Poor Macs getting exploited by people determined to hack them! Only unexperienced guys should try to hack a Mac… if you’re an expert, hell, focus on Windows!
Laughable! EVERYBODY who signed up to that contest had something in their hands to think they could hack those systems! “Hey, I never hacked a computer, I don’t know anything about hacking but hey, I will sign up to that HACKING contest and then maybe… uh… I don’t know… if I think hard… maybe…”… c’me on! Every guy there had WORKING exploits which they tried. You don’t discover anything in 3 days… you just tweak your code to check if you can break into those systems too…
Pratical impact… in the wild… large user base… blablablabla. Rules were simple: latest patches applied. It was valid for Vista and OS X too. But you’re so blind in defending your faith that even simple things look hard to understand to you. Next time Apples could sign to a competition where rules are “latest patches only if Macs prevail… if not, let’s get back to one unpatched level for other systems. If Macs can’t prevail yet, repeat until that conditions is true…” yeah fair!
I won’t even discuss the idea of a contest where rules state that systems should be applied only “most used patches”… that’s clearly a boutade.
Oh sure… CanSecWest knew that Apple was going to fix that hole soon so they hurried to make their contest earlier in order to put Apple under a bad shadow… lol… New rules:”We can hold a contest only when all exploits have already been patched. You cannot set it to an arbitrary date because, after a few days, holes would have been fixed so…”.
Laughable and unrelevant. While SOME cross-platform holes exist, you cannot claim your hole is not relevant because it’s cross platform. That would be equal to say that if a Ford car explodes they could claim that’s not a problem because also Ferraris could explode as well. Right, but I didn’t buy a Ferrari, I bought a Ford. Users don’t care if there could be holes in systems THEY DIDN’T BUY. They care about holes in ones they bought and if re-using code makes you more insecure, just don’t do that. I never heard Microsoft tell that an hole in their systems wasn’t that bad because there could holes in other systems. Typical fanboy argument.
Yeah, everybody hates MacOS. Laughable and typical fanboy argument.
Except that Ubuntu, which wildly use OS software, didn’t get hacked. So decision to use OS software in MacOS was bad? Wasn’t that a selling point? Typical fanboy: one day using OSS is a great NEWS (innovative! WOAH!), the other day is source of problems (but it’s OSS fault, not Apple’s!).
I hope next Apple fanboy will have more solid arguments than “Everybody hates us” and “it’s not Apple’s fault!”. It wasn’t even funny because your trollish ability is not that good…
Nothing personal… we love apples…
So you’re responding to a very small percentage of users whose own ignorance will cause them trouble some day. Meanwhile, coming off as being as big of a fanboy/egoist as those you claim to be responding against.
The emperor has no clothes.
So what if Apple has a little pie in the face because of this? They will fix it and be stronger because of it. The user base will let Apple know they’re unhappy and Apple will have to respond. Heck, how long did it take Microsoft to take security seriously? It’s great news for everybody that Vista is more secure than its predecessors. It’s no laughing matter.
The real news that everybody seems to be glossing over is that webkit is open source and I haven’t read anything as to whether this “hole” is vulnerable across platforms.
I think you’ll find Microsoft patches are generally released more quickly than Apples and that Microsoft has to ensure that they don’t introduce any new incompatibilities for far more software titles spanning a far greater length of time. They could easily have a hundred shims for compatibility.
You’ll find that Microsoft’s Security Life Cycle is second to none, that their processes are well known so not only do you know that their patches are reliable for software titles spanning decades – likely 2 orders of magnitude greater than Apple has to worry about – but also they are more predictable since you know exactly what processes are followed before being released. You’ll also know how they rank the severity of the bug because the criteria is openly documented.
When it comes to making security a central part of software development, infact building it into every part of the business Apple is a 5 years behind Microsoft and only started to take it seriously last year. They had better hope they get their act together quickly or they are in for a rough ride.
Lastly you will note that the bug that allowed compromising the Mac system was an Apple bug and that the bug that compromised the Vista machine was an Adobe bug. Both have recently shown us how sloppy they can be recently by not even bothering to read their EULA’s before shipping software – Photoshop express EULA gave Adobe full control of the images you upload and Apple’s Windows updater not only tried to install Safari 3.1 in incomptabile OS’s (Windows 2000) its EULA stated that it could only be installed on an Apple machine.
Very embarrassing, sloppiness is not a trait you want in company that is supposed to be providing secure afotware.
Lastly the Adobe bug could easily have been used against the Mac or any operating system running their software.
Edited 2008-03-31 20:43 UTC
I think with the adoption of the iPhone, Apple is going to come under quite a bit more fire. Hopefully Apple will put more resources into its security process. While this hack requires some bit of user interaction, I don’t think it would be too trivial to catch people, especially when many people I know will connect to Wireless Access Points with no discretion.
The first step in solving problems is to acknowledge the problems. The often unrealistic and fanatic fanboy attitude tends to be, however, to close one’s eyes from seeing the faults in one’s own camp or blame others for them. That kind of arrogance and hubris is not only foolish but often also dangerous.
I have no doubt that Apple’s Mac OS X platform wouldn’t be rather secure already or that it couldn’t provide even better security. But like the saying goes: security is a process, not a product. A lot of Apple’s resources and efforts seem to have concentrated on developing usability, GUI and such stuff, not so much on security, so far. They might perhaps even be technology leaders in GUI related things. But an advanced and good looking GUI doesn’t certainly yet mean that an OS would have good security too.
It is now only a good time at Apple to start to pay more attention to security too so that we could have even better Mac OS X in the future.
I completely agree, this is a good deconstruction of the Roughly Drafted article. Thom Holwerda did an excellent job. While RD sometimes has good insights and info, it is also prone to blind zealotry. This is one of the later; and the RDF is a bit too much.
Moreover, Thom’s rebuttal is tough but fair to Apple. A few writers/bloggers are confusing the OS with the default install, but Thom is very clear on this.
As he points out, the bottom line is that it’s Apple’s responsibilty. Until they do, I think I’ll be using FF.
I have a lot of respect for John Gruber. He defends OS X a little too blindly for my tastes sometimes but he is generally a very good and reasoned writer. That said he was mistaken or over simplified the nature of the exploit used against webkit.
http://trac.webkit.org/projects/webkit/changeset/31388
is the patch in question in case anyone would like to review it.
For those who do not want to look at the patch or are not familiar enough with C++ coding I will provide some highlights.
First and foremost the patch and flaw are not in the PCRE API as John suggests, but in the adapter code specific to webkit. Even the most basic of checking would have shown the PCRE is a C API (w/ a C++ wrapper) and that the patched code was the C++ code used as an adapter for PCRE in the Javascript module of Webkit and was specific to Webkit.
Now that we have that out of the way… What is occurring is that Webkit would have a regex expression and would estimate the size of the resulting compiled expression. As long as the estimate was not under it did not have to be precise (line 1992-1993 original). The flaw came in the factor that Webkit engine did not take into account a maximum pattern size for the expression allowing for very large regexes using repeats to be underestimated and causing an overflow.
the original, vulnerable check (2148 original) was replaced with code that checks not only for an overflow specifically within the repeat section, but also checks for exceeding the maximum pattern size in the overall regex. (2433-2444 new code) Further if the max size is exceeded it throws an exception (whereas before it would continue).
So what we see here is a library that had a flaw in how it estimated the size of an object, allowing for a overflow. This is not in any way the fault of the core PCRE.
You could still say it was a flaw in a Opensource application, but it was one released and maintained by Apple, not a 3d party API.
The problem with this whole contest is in the way it gets reported. I’m not sure what it’s designed to achieve, but all it should do is highlight the importance of security. It is by no means guaranteed to accurately reflect the state of security in each of the three OSs.
The order of victories is certainly interesting and reflects a factor of computer security. Trouble is, the press report it like it’s the definition of security. And if they don’t, the fanboys will. Cue blogwar.
I still say no article with “Top X” (for any value of X), in the title is of any importance and the people who read them only have themselves to blame.
This was a competition. It does not show which OS is more secure and I do not think CanSecWest ever implied that this was the case. The purpose of the competition was to get some exploits reported and fixed.
All it means is that someone had a flaw ready for Safari and Adobe Flash but not for anything on the default install of Ubuntu. No more, no less.
The blogosphere really isn’t all that better then the MSM when it comes to sensationalistic BS.
So the Mac laptop has been pwned. Do you Mac guys feel insecure because of it? Well then, “Welcome to the real world”, baby. It happens everywhere. It’s the game: either the bad guys are faster or the good guys. Nothing else. I’d say this will just improve the overall security of Mac OS, which is surely a good thing.
So the Vista box has been cracked into because of issues with Adobe Flash. Does this scare me? Yes, it does. This proves that the widely used closed software is harder to review and the potential disasters are greater. Claims (even if unsupported) that this hack may be multi-platform makes me feel really uncomfortable. I’m waiting for a quick update of Flash Player from the ever-slow-moving Adobe. (but I’m not holding my breath)
So the Ubuntu box hasn’t been cracked. Does this make me feel more secure? Not at all. Since I have been following the development of many free and open source projects, I know what problems they may have. It’s the speed of publishing the patches/updates that matter. On every operating system, and by every vendor.
So the first successful person “had it in mind” or rather “in hand”. I’d rather say he did his homework well to maximize his chances. I’m sure the rules for competition has been published sooner, so everyone was able to do the same. He did it and he won the gadget and some money. This time he was faster than the vendor. Next year this may very well be reversed. (shrug)
Overall the contest has been a fun to follow and read about. So can we now go back to our usual work? Pretty please?
Edited 2008-03-31 00:21 UTC
If the Mac (and the Vista box as well) were running Safari (Flash on Vista) as the root/admin user, this is not big news. Apps not built for security and doing non-trivial processing of data coming in over a network have holes, period (though I agree with the assertion that Apple is ultimately responsible for the Safari code, since it is a bundled app and the default browser).
Now, if the objective was to get root/admin, and if the Mac was running Safari as a non-privileged account, or Vista was running Flash that way, that is not only an application hole, it’s an OS privilege escalation. And that’s much more interesting…and scary.
Apparently another example of some apple users reading too much against their holy platform again. I really hate fanatics.
Then again with so many factual errors it does not make the writer seem very credible, even among mac users…Yup, from the comments on that site it would appear to be the case.
As a Linux fan, this reminds me a bit of the time that Mindcraft handed us a lemon. We railed. We denied. We debunked. We demanded a rematch.
But in the end… our heroes, the kernel devs, made lemonade.
Perhaps the moral of the story is that it is counterproductive to take the incident too personally. Concerned Apple fans might do best to “make applesauce” and express their security concerns to Apple, help beta test new software releases, and see how things turn out next time.
What are you referring to? I don’t get the reference.
Is this the reference? Read the first paragraph.
http://www.mindcraft.com/whitepapers/openbench1.html
Apparently, Windows NT4 beat the crap out of Linux in some benchmarks and fanboys cried in denial. Eventually, the kernel was upgraded and everything was fine again.
Yup these things happen on all platforms. But it seems that unfounded paranoia occurs more often mac users(or is reported more often).
Windows probably has the least, mostly because it can’t really inspire the passion of its users. That leaves mac and linux users. There are a lot fanatics using linux but on the whole I believe that linux users are more enlightened (I’m biased tho so take it with a grain of salt).
What the hell is that supposed to mean? I know many linux users. The majority of them are hardly enlightened by any sense of the word. In fact I would be very hard pressed to want to describe any user base as enlightened.
Here’s a clue… Most people just want to get through their day with as little hassle as possible. For some, the PC is the best option. For others, it’s the Mac. And still others, it’s linux, etc… What the hell does that have to do with your level of “enlightenment?” Quite frankly, I would have to say anybody who is that concerned over the platform choice of their peers has got a strong case of megalomania going and is hardly enlightened. Perhaps you should admit that your bias requires more than a grain of salt, but a block.
You platform guys are far worse than rednecks who fight over which truck brand is better.
Gee, macUser. (Do you mind if I call you macUser? That is your OSAlert user name, after all.) I suggest you take your own advice and chill. I really don’t know what else to say in response to such a post.
Edited 2008-03-31 18:47 UTC
Yes, I use Macs. I don’t tell PC users to use Macs. I don’t tell Linux users to use Macs. I don’t consider Mac users more enlightened than PC users or Linux users. Computers are tools and the Mac is a better tool for me.
I am tired of being told by PC users and Linux users alike that I’m using the wrong OS and that theirs is superior (it’s gotten rather old since 1984).
Do you feel that linux users are more enlightened? Are they better people? After all, that’s what the post I was responding too was about. And yes, platform fanboys are worse than rednecks…
Rednecks are platform fanboys. But their platform of choice is a pickup truck, with a gun rack and a hound dog in the back. ;-p
Unimportant. I think that it would be most constructive not to let it bother you. The gist of this thread is that Mac users are overly-sensitive. Now, without committing to any personal opinion on that matter, I would point out that your post contributed to the perception that they are.
As a long time fan (20 years) of Unix, and later, Linux, I know very well what it’s like to be an advocate in a world dominated by another platform. It can be frustrating if you allow it to be. And we in the Linux community have a reputation for being a bit over-sensitive, too. IMO, the best course of action that any of us can take to counter that perception is to refrain from contributing to it ourselves. Have confidence in the choices which you have made for yourself. And don’t let the differing opinions of others worry you.
Edited 2008-03-31 19:29 UTC
Do you agree with the title of this thread?
As I explained previously, I’m not telling you that macs suck (they don’t) nor does OSX.
Perhaps I should have said Linux users are more informed.
But you have just made my point for me. You read too much into what I said.
Note that as a pc user, If I could use osx legally then I probably would be a happy user
Edited 2008-03-31 21:03 UTC
OK, I admit, I came across like a prick, but I really fail to see how comments such as Linux users are more informed/enlightened mean anything…
I’ve used Linux, I’ve used Windows, and my choice is still Mac. That doesn’t mean someone else would choose the Mac and they obviously don’t. In the OLPC scenario, are those kids getting a choice of which OS they’re going to use or are they going to use what’s been placed in front of them?
Back to the subject of the CanSecWest hack… If I understand the rules (and it’s a good possibility that I don’t) the participants were only allowed to used their “hack” against one platform. If I understand the hack (and it is again, a good possibility that I don’t) the “hole” is in webkit. If I understand correctly (and again I could be wrong), Konqueror uses webkit. If so, would this hack also affect Ubuntu, which comes with Konqueror, or any webkit derived browser on Windows?
I don’t know, because everybody seems more concerned with lumping crow on Apple and “fanboys.”
Correct
incorrect.
Konqueror is available for Ubuntu but is not installed by default (or even normally) on Ubuntu. Kubuntu of course has Konqueror but I do not believe this flaw efects konqueror. In any case Konqueror is not Webkit based. Konqueror still uses KHTML as the core and will continue to do so for the time being at least.
[/q]
So it’s possible that the Flash exploit that took down Vista could have taken all three systems?
[/q]
Thanks for the info. I thought I had read at one time that Konqueror was going to move to webkit and thought they had. Good to know.
It is possible yes. Having no information on the vulnerability I would guess that all 3 operating systems could be effected by the vulnerability with the same version of Flash. It is in situations like this where Apparmor and SELinux can mitigate risk. I would not expect Ubuntu’s current implementation of these two technologies to prevent such an attack though.
Yes.
There was a large “discussion” about that, which has never really been settled. It seems likely that both Webkit and KHTML engines will continue to be available, and switching between the two should be fairly simple. I’m guessing that large commercial distros like Suse/RedHat may move to Webkit while Kubuntu/Debian type distros may stick with KHTML.
But that’s all in the future, and the currently released KDE 4.0.x doesn’t use Webkit at all since it was only added in Qt4.4 (coming in KDE4.1)
In general they will be. Obviously this does not apply to you.
compare the average linux user, windows user and mac user. This of course requires massive generalization. but out of percentages of techically knowledgeable people against the entire userbase of an os, you cannot doubt that linux users will score the highest, because by nature linux requires technical knowledge and that can translate to a better understanding overall on how an os works etc.
Of course if distros like ubuntu keep doing well that percentage will keep decreasing. I didn’t mean to imply they were better people whatnot or that linux rules everyone else sucks.
The entire tone of the article seemed to reek of twisting the facts to justify a perceived injustice. But also a lot of the comments from mac users on the site rightly called the author to account.
I was hardly being serious (semi serious). Relax!
That is why I said take it with a grain of salt. Its a biased opinion based on observation. Since I am one person I can’t give a completely fair account and my observations will be tainted bias.
As for the enlightenment, I am reffering to it in the context of knowledge not in terms of superiority of the platform. Linux users will use it out of choice. Mac and Windows users use what is given to them (not to say it is bad, I *like* osx) but the sheer fact that it takes some conscious decision to use (learn to use) Linux versus more popular operating systems will mean that Linux users will know more or understand the failings of other operating systems, (not always willing to accept failings in their own tho) as opposed to users from the other 2 main oses.
I meant no offence, it’s just an opinion, you’re welcome to spew angry vitriol at me again if it makes you happy.
P.S. I also use the enlightenment de from time to time
Edited 2008-03-31 20:46 UTC
Mindcraft was sort of our Pearl Harbor. Microsoft secretly funded some “independent research” conducted by a “company” called Mindcraft. They put together an unlikely combination of hardware, including 4 100mbit nics (rather than the usual single 100mbit or single 1000mbit interface) and proceeded to prove that Linux performance was really bad based upon a static web page serving benchmark. The scenario was completely unrelated to anything anyone would want to do in the real world. And it turned out that “independent” Mindcraft didn’t actually have a lab at all. Microsoft loaned them theirs and paid for the “study” behind the scenes. (BTW, that’s not a black helicopter assertion. Some clever people tracked down the evidence and Mindcraft, which as it turned out had only one “employee”, fessed up.)
However, none of that shadiness changed the fact that Linux *did* perform very poorly in this scenario, due to lack of parallelism in the network and filesytem subsystems. (This was back in the 2.2.x days.) You can imagine the denial that triggered. For weeks there was at least one lengthy new rebuttal presented per day. Mindcraft set up a rematch in which Linux experts were able to properly tune the Linux box. And we still lost this particular benchmark.
Mindcraft was the impetus that led to kernel 2.4. It would have happened anyway. 2.2 laid the infrastructure that 2.4 utilized to parallelize a number of subsystems. It was really the plan all the time. But Mindcraft gave extra incentive to really make that top priority.
In the end, all the rebuttals were far less valuable than the work that the kernel devs did to fix the actual problem.
The analogy with the current topic only goes so far. I certainly do not imply that there was anything improper about the hacking contest. But the overall principle is really the same. Turn a current defeat into a future victory by learning from it instead of denying and rebutting it.
Edited 2008-03-31 14:33 UTC
If I remember correctly the rules of the comp were that no known weakness could be exploited. In other words Vista may have numerous vulnerabilities, all but one in a hundred known, and this one vector would be the way in. OS X has comparitivly few vulnerabilities but matey knows of one that does exist an d can then employ it to great effect in the comp. In other words nothing of any meaning has been proven at all.
So the RD response was basically a bunch of whining about how Apple doesn’t get treated fairly by the press, who are hyping up this failure in order to make money.
Umm, newsflash! That’s what the press does. If Vista had been hacked first, do you think there wouldn’t have been headlines like “MS Vista Still Insecure”? Do you think they wouldn’t have had a field day pointing out a Linux loss and that both commercial competitors had beaten it?
On top of that, the press is always adoring Apple. Look at how much positive press they get compared to their competitors, and it seems a bit hypocritical to complain so much about the occasional bad story.
… and I did not feel misinformed by any of these. It was relayed everywhere what would happen on day 1, 2 and 3.
.. just like a lot of fanatics.
Why is it so hard to admit that _right now_ Apples security is not as good as Vistas or Linux. Things can change in a week. Security is a process.
And people, just dont use vendor provided browsers .. it was a bad idea in 98 and it is still a bad idea.
@Kokopelli
What , what are you talking about?
yes the code is in webkit, but that does not change the fact that the original code is an open source code coming from PCRE.
In the source file pcre_compile.cpp, it is clearly stated this:
”
This is JavaScriptCore’s variant of the PCRE library. While this library
2 started out as a copy of PCRE, many of the features of PCRE have been
3 removed. This library now supports only the regular expression features
4 required by the JavaScript language specification, and has only the functions
5 needed by JavaScriptCore and the rest of WebKit.
6
7 Originally written by Philip Hazel
8 Copyright (c) 1997-2006 University of Cambridge
9 Copyright (C) 2002, 2004, 2006, 2007 Apple Inc. All rights reserved.
10 Copyright (C) 2007 Eric Seidel <[email protected]>
11
”
So clearly the code is derived from the original PCRE code, you can’t state that it is not. Grubber says something correct, he says that the exploit uses a overflow bug in the in the PCRE regex library used by webkit, which is the case, the bug is in the PCRE regex library.
The issue was not specific to webkit per se, as a similar issue has been found in PCRE prior to the version 7.6. I bet that Miller could find something similar in webkit and that he of course knew the PCRE issue exposed a few weeks ago.
And on the PCRE web site it is said:
“PCRE was originally written for the Exim MTA, but is now used by many high-profile open source projects, including Apache, PHP, KDE, Postfix, Analog, and Nmap. PCRE has also found its way into some well known commercial products, like Apple Safari.”
just in case if you still think that PCRE has nothing to do with webkit….
“You could still say it was a flaw in a Opensource application, but it was one released and maintained by Apple, not a 3d party API.”
That’s funny. When people talk about webkit, they usually come up and say youm ah no apple has nothong to do with webkit, this is a pure open source project, Apple does not do anything for it, bla, bla, but when a security issue is found they blame Apple and magically it becomes a code “maintained” by Apple. Strange, strange….
“It is now only a good time at Apple to start to pay more attention to security too so that we could have even better Mac OS X in the future.”
Give me a break!
In Leopard, Apple has introduced important security features like Mandatory access controls, downloaded file tagging, Library randomization , Execute Disable, Sandboxing, and Application signing. But, you tell us that Apple is doing nothing? Come on, just don’t talk about things that you don’t know…
Give me a break yourself… (Besides, that comment was made by me and not by Kokopelli.) If you could just sit back and calm down a bit, and read my whole comment, you could see that I was actually saying that “I have no doubt that Apple’s Mac OS X platform wouldn’t be rather secure already or that it couldn’t provide even better security.” So in no way I was saying that Apple would have done nothing to improve security. Were did you get that from? At least not from my text.
Apple has done a lot to improve the Mac OS X security – like others have done too to improve the security of their operating systems – but Mac OS X is still no OpenBSD. I was just saying that they could do even more, so that we could have even better and even more secure OS X in the future.
Edited 2008-03-31 09:43 UTC
I suggest you check the sources, as I did.
1) PCRE is a C library, not C++.
2) the C++ file in question seems to be loosely based on the C file pcre_compile.c
3) as far back as the Sept 2007 release of 7.4 (I also checked 7.5 and 7.6) there is not a function calculateCompiledPatternLength.
4) calculateCompiledPatternLength seems to be based on a section of the c code which is determining pointer length adds for groups (which does check for max size and really is not the same as determining the overall length of a compiled regex as is here.)
It is quite possible a similar flaw has been in PCRE, I will continue to point out though that the function at hand has not existed in PCRE as far back as 7.4. If it did exist it was in C and so the Webkit code was a port at best.
I did not say webkit ad nothing to do with PCRE. I said the particular flaw does not have anything to do with the PCRE core. The code in question is not in PCRE or from PCRE. At best it is a derivative based on an older version of C code ported to C++ with the flawed function in question added. The basis for the flawed function may have been PCRE but a derivative function of a port is hardly in PCRE or a potential vulnerability of PCRE.
I did not, nor have I ever said that webkit has nothing to do with Apple. As far as I am concerned Webkit is a derivitive product that Apple has taken and improved from KHTML. It is most definitely from Apple, supported by Apple, and since most of the code can not be back ported to the original it is distinct from KHTML (and in the case of this C++ class PCRE).
Personally I find Apple’s orientation and methodology for security and patches to be quite acceptable. Again these are not my words nor my opinion. There are things Apple could be doing better, but it is a compromise towards making the user experience better. There are things Microsoft, Ubuntu, Red Hat, and just about everyone else could be doing better. That does not mean I find their current direction and attention to security unacceptable.
So again. The flaw is not part of PCRE, is not in the PCRE core, and thus not a vulnerability shared with PCRE. PCRE does have bugs and security issues that need to be dealt with upon occasion, as do all applications. This bug is just not one of them.
I am the person who submitted the link of the article on Roughly Drafted to os news. My motivation was that the article has a point, and that people may be interested to read and discuss it. But i did not think that Thom will jump on it and wrote again what i call “the Thom BS”. Here you go again Thom, you could not resist to do your usual bashing, didn’t you?
So lest start shall we….
1. It is not rocked science, but still you get it all wrong. Any hacker who wish to make money can have a lot interest on Apple platform. You don’t need to have millions of computers out there, several thousand computers having malwares or botnets would make a hacker more than happy. Apple is by itself an interesting target because those people could make a lot of money if they could deploy their malwares, but they don’t, think why?? This argument of market share is stupid and translates the poor understanding that you have of the thing.
2. Well first CanSecWest is sponsored by Microsoft…..and please don’t embarrass yourself, you know that if wanted, Linux and Windows would have been compromised in the same time as the mac. No way that no of those so called security researchers don’t have an exploit for firefox or IE. Come one you can’t believe that…. this game was targeted to Apple, Apple had to fail first, period.
Miller has several times stated that it is easier to hack the mac, which basically says that the mac is less secure than the windows, he stated the same thing during the context. Are you denying he did so? I don’t think so.
3. It was the case, look at the press announcing the context, the mac book air brand name is referred all the time, which came largely from the context focusing on the term mac book air.
It is a relevant remark as many people out there are thinking that Miller magically hacked the mac in two minutes. Maybe not you, but it was reported as this in many places. Miller knew about the issue and that means that the same could have been done for Linux, but it was not, think about it.
5. You don’t get the point at all. What he is saying is that a particular security update done before or after such context can make a lot of changes in the context results. And he is basically right, it is difficult to contradict that unless you are dishonest, and you actually are…. It is amazing to see that you construct your point on things that it is not said by the original author and you come to us saying that he is wrong.
6. Well then admit that a linux distribution would be equally affected to if running KDE. The all point here is that there is no winner in that context because it does not say anything about the real state of security of these systems. And no, the first big security threats of xp is that it allows people to run with full privileges very easily, which other os don’t.
The fact remains that Miller has defected an open source code and this fact does not say anything about the security level of Linux, Windows and OS X. Read carefully what it is written, the author is not saying that Apple is not responsible of the code it ships, it says that the context is nothing more than defecting open source code that will anyway very quickly be fixed. Why are you always changing what the authors is really saying?
7. But it has been clearly observed that there was no will of developing exploit code for Linux. And don’t embarrass yourself again, you know that if they really wanted, they would have compromised Linux too.
8. You don’t get the point, do you? His point was to say that a given open source project which is shipped in other products can not be used as a measure of the security of a given os. He is saying that applying a FOSS vulnerability can not be used against Apple to give any judgement about Mac’ s security. You can’t even clearly admit the fact that being used in KDE, the flaw exposed in webkit also treats many Linux distributions out there. And consequently, the argument of Linux fanboys which says that Linux is more secure than OS X does not hold water.
9. Irrelevant argument….
10. That’s not his point. His point is to say that bug found in open source code can be used against Apple. And this what Miller is doing but in the same time he states that Apple is less secure. Concerning the fact that Apple lags behind when it comes to patch bugs discovered in open source code, that is arguable as Apple needs time to test the fix and so on, but the fact remains that people like Miller can use FOSS bugs against Apple.
And i find strange that you call Miller a smart guy….
Apple does not include open source code because that save them people to hire. BS, you are pathetic. First of all Apple decides to include many open source project that it still can decide not to include, perl, php, ruby, and so on are project that Apple decides to include and that are not developed for Apple specially anyway. Including a lot of open source software is a lot of work for Apple as it needs no only to keep them up to date but also to integrate them in order that they work as expected in OS X, you are missing completely the reality of the big effort that it is.
Lastly Apple does not include open software without their own contribution in order that it makes sense in OS X. Making sound that Apple is just using magically open source code shows how stupid you can be….
“The reason I decided to write this rebuttal was not to discredit Apple, or because I have been paid by Canonical or Microsoft.”
Don’t worry, Microsoft or Canonical does not give a shit on what you may do for them. Come back to Earth…..
You dare saying that people are doing misinformation but the fact is that you are doing it yourself. You are trying to argue against things that people did not even say due to the poor understanding of yours.
You could not resist to jump on the story without taking the time to think about what you will write and that make sure that you understand what people are saying. What should i say, well, i guess you better just continue to post links that people send to you and don’t try to be smarter than you are….
Can we please stop the childishness and get back to the regular Tech Reporting?
Edited 2008-03-31 10:35 UTC
Connaisseurs of MacMania have been greatly regretting that the Manager of Team Apple unaccountably decided to substitute Kelly McNeil at the top of the second quarter, when he was playing so well. But we now see that the Manager knew his players better than us, and in Daniel Eran Dilger he has truly found a worthy substitute. One who, in some ways, is even better in the position than the previous occupant.
So its cheers for DED as he sprints onto the pitch, and a small word of advice: the madder the argument, the more forcefully you must make it. Always mount personal attacks on anyone who so much as refers to an opposing point of view. Above all bear in mind the doctrine of insufficient praise. The worst kind of attacks on The Cause come from those who are basically positive about it, but conceal in this some barbs of invented flaws. These are the truly dangerous ones. These are the ones you have to go for.
In parting, one final word. It is always important to make sure, when one kicks the ball hard, that one is facing the opponent’s goal. Your predecessor in this position sometimes appeared to get confused about this and kicked out wildly in all directions, all too frequently scoring for the other side rather than his own. Often he gave away damaging penalties by playing the man rather than the ball in these furious bursts of kicking. You too have shown similar tendencies in the past on matters such as market share. You will have to watch this, as otherwise you too will be substituted after a very short time on the pitch, and we will lose a great deal of innocent amusement.
Genuine technical question here, no trolling. Honest!
I use Mac OSX & Linux. Since the weakness has been tied to open source code that is widely used in a variety of contexts, is (or was) it possible to use this exploit to hack a Linux machine running the library in question? (Konqueror maybe, on account of webkit/khtml relationship?) Or is it certain that this exploit could only have been done on someone using Safari?
Anything based on Webkit, regardless of OS, can potentially fall prey to this flaw. This would include some of the Webkit based plasmoids in KDE4 as well as webkit based browsers on Linux.
I did a bit of research but stopped short of downloading the source for KHTML. I think, though I am not certain, that the JS engine including the PCRE issue is unique to Webkit. So I am pretty sure this particular flaw would not carry over to Konqueror, though again I am not certain.
Ubuntu doesn’t install Konquerer as a native app, so if the library poses a risk for Linux, Ubuntu wouldn’t have been exposed until the third day.
If the contest had included a machine running a KDE-based (by default) distribution such as Kubuntu, Mandriva or Suse, then it might have been cracked on day 2 along with the Mac.
None of this says squat about the relative security of any operating system, of course, but I still breathed a sigh of relief when Ubuntu survived. The trade press is always better at misleading headlines than technical analysis.
Tich tich tich…
Don’t cry Apple fans. Its useless to give reasons now. The competition is over and Linux wins! Thats it.
Oh yeah, by the way the truth is that vulnerabilities on Apple side had increased even more than Windows.
So the Apple set high prices for these crap products and they always advertise against PC.
Tich tich tich…
Losers!
I’ll be the first to admit that contests such as these shouldn’t be treated as the only metric that people use to assess the overall security of a platform; HOWEVER, that said, these contests can be useful as a way of “taking the pulse” of general platform security from time to time. Regardless of whether you like the results, the results were FAIR.
1. The rules were fair and evenly applied to each of the platforms and contestants.
2. There were no surprises. All of the contestants knew the rules in advance, knew the platforms, and knew that the platforms would have the latest patches applied for all software installed.
3. All of the contestants were respected security researchers. Whether they had or have a particular bias against a given platform was irrelevant to the contest. Frankly, whether they were motivated by money or ideology or notoriety doesn’t have any bearing on the results.
4. There were equal incentives ($$$, hardware) to attack each of the platforms. $10K buys about 5 MacBook Airs so, clearly, the choice of which platform to hack wasn’t a financial or tech-drool one.
5. Market share of the platforms was irrelevant to the findings.
6. Value of the vulnerabilities on the black hat spammer/malware market was irrelevant to the findings.
7. Availability of source code was irrelevant to the findings. Security through obscurity has been shown to be ineffective time after time. Apple lost, some say due to its use of OSS code, but that is directly contradicted by the fact that Linux won, and it uses OSS code.
8. The sponsors of the event (Google, Microsoft, Juniper Networks, Cisco, Adobe, etc) had no bearing on the outcome. To believe otherwise is to believe that competitors Google, Microsoft, and Adobe “had it in” for Apple”; which, quite frankly, is ridiculous on its face. Not only that, but Adobe (one of the primary sponsors) received a slap in the face when Flash was a high-profile target.
What I care about MORE than anything is what we’ve all LEARNED from this exercise. We know that remote exploits are harder than ever to pull off (that’s a good thing) and none of the platforms have unnecessary/exploitable ports open, that application weakness is the next line of attack, and that general assumptions about Mac security have been shaken badly. I would argue that this isn’t a bad thing. Apple, Adobe, Microsoft, Google, and others can take that knowledge back to their offices, and start addressing the types of problems that were discovered; and, in the end, it will yield more secure software. Which is what we all want.
“Of course, one can^aEURTMt write slander (it^aEURTMs called libel), but his serious accusations failed to refute any of the points I raised, and really betray his effort to smear me rather than correct any facts I presented.”
this comment doesn’t even need writing.
Reading the OS News blog versus Roughly Drafted, it occurs to me that the principle difference is the perspective that’s being taken.
OS News focuses on the technical qualities of the OSes and the intrinsic fairness of the testing procedures.
RD focuses on the real world security of the OSes and, in relation to that, the unfairness of how the testing outcomes will affect the OSes reputations.
Like a real tech geek, Holwerda seems to remain blind to Eran’s perspective, countering Eran’s arguments with arguments that underline the test’s intrinsic qualities, while missing the point of Eran’s comments, which is that the test outcomes suggest that the Mac is less secure than the PC while in practice the opposite is the case.
Eran, on his turn, can’t imagine that Holwerda’s is enough of a naive tech geek to be blind to that, and suspects that the test has been set up the way it has deliberately in order to generate a newsworthy outcome, resulting in extra pagehits for OSAlert.com.
Personally, I think Holwerda’s motives contain a bit of both.
I think his geeky curiosity for the intrinsic security of the various OSes is sincere. It fits with the nature of OSAlert.com in general.
But I don’t think he’s truly totally unaware of the way he contributes to a false perception of the various OSes’ securities and the extra pagehits OS News gets this way. I suspect Holwerda just tries not to think about it.
Edited 2008-04-01 10:52 UTC