Predictable responses from the idiots on both sides...
...with those who fall neither below the 5th nor above the 95th percentile on the OS zealotry scale being not particularly surprised, bothered or worried any more than they already were.
Mac is the first to fall in Pwn2Own hack contest
A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off. Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by …
-
Friday 28th March 2008 11:29 GMT Steve
@ Ben
"The number of bugs per line of code has no correlation whatsoever to how many times the compiled code is copied/sold. This is in contrast to the direct correlation between bugs/LoC and eyes/LoC."
That's not what he said. He was talking about the number of KNOWN vulnerabilities. In this case there certainly is a correlation between the number of people using code and the number of discovered bugs.
If there weren't, then beta testing could be done by one guy on his own just as effectively as 200 people testing simultaneously.
-
Friday 28th March 2008 11:33 GMT Inspector_Morse
Mac OS X Firewall
I am a Mac user, so I suppose that does make me a fanboy, but not a rabid one.
OS X does have its faults, as do all OSs and as many have already noted.
BUT, in an attempt to get some rationality into this debate, consider this:
1. Mac OS 10.5.2 comes, by default, with the Firewall switched off, as has been the case with all previous versions of OSX.
2. From the competitions web site:
[Question] Anonymous commented on 2008-03-27 @ 19:26
"Are the OS installs left in default configurations, or are some settings turned on or off by the organizers?"
[Answer] ZDI commented on 2008-03-27 @ 19:54
"All platforms are left in their default configuration, as if a normal desktop user were operating it."
3. (Miller) said he chose Apple over the other machines because "I thought of the three it was the easiest."
Well who wouldn't think that a machine with a disabled firewall was the easiest target for a remote telnet exploit!!? The easiest $10k possible, plus a free Airbook to boot!
4. Why in God's name Apple does not make the Firewall default "On" has always baffled me.
Meanwhile, it seems that the competition is fundamentally flawed, if the Vista and Linux machines have their firewalls on by default.
-
Friday 28th March 2008 12:11 GMT Ian Davies
@brimful
"no but it does mean you'll be 'safer' "
A fine example of faulty logic. In the same way that saying the guy the train hits first will be 'more dead' than you. The end result is quantifiably the same.
It is impossible to claim (and idiotic to try and claim) that one platform is absolutely more secure than another, because it is impossible to accurately measure.
Only if every computer user had a Windows machine, a Mac OS X machine and a Linux machine side by side at all times, and only if every hacker dedicated an equal amount of time to hacking attempts on all 3 platforms, would we be able to make any judgements of absolute security. In the real world, one can only judge the *effective* security of a given platform, which is, of course, influenced by many factors including, but not limited to, installed user base.
The fact that there are many, many more Windows users does not change the empirical FACT that there are many, many fewer security vulnerabilities, viruses etc. on the Mac OS X platform. The platform is EFFECTIVELY more secure. I am statistically LESS LIKELY to suffer a remote attack on a Mac OS X machine, than on a Windows one.
Claims that I would at just as much risk if there were as many Macs and PCs is meaningless drivel, when that is patently not the reality in which we live.
Obviously, as the Mac OS X platform gains market share, it follows logically that it is likely to suffer more attacks (successful or not). What will be interesting is whether the number of attacks grows *proportionately* to its market share. Currently, that is not the case. Regardless of where you peg the Mac's market share (dependent of territory, demographic, direction of wind etc.) it cannot be denied that its level of actively exploited security flaws DOES NOT correlate to its market share. This may well change in the future.
It does not change the fact that, right here and right now, I am safer using a Mac than I am using a Windows PC. It may well be that I would be safer still using a Linux PC, for exactly the same reasons.
-
Friday 28th March 2008 12:11 GMT Seanie Ryan
thank god
as a long time mac user (and other Os's daily), i am glad this has finally happened and levelled the playing field.
Now people might wake up to the fact that all OS's have security holes.
The only thing all computers have in common is the dumbo at the keyboard, effectively, the 'nut holding the wheel'
Apple needed this wake up call.
And users need to be educated more then ever.
I got a call the other day from a client telling me that a virus got past my filtering and going mad. Turns out an email with a link came in and someone click the 'Free Porn' link. I am still amazed that this happens. surely all employees are told first day : "DONT DO THIS."??
oh, and windows users suck !!! LOL
-
-
Friday 28th March 2008 12:31 GMT Hywel Thomas
@Inspector_morse, r.e. Default settings
I use a Mac too, but I'm not kidding myself that this is in any way unfair. They absolutely should use default setttings on all machines, That's the whole point. How secure the machine is out-of-the-box without having to tweak anything. Without the user having to have any knowledge of security.
-
Friday 28th March 2008 12:31 GMT Anonymous Coward
Apple users tears taste so good
It was hacked first because it was the easiest.
Trust that with $10,000 on the line, anyone would hack a linux or windows machine. Its friggin $10,000 dollars. People tried all day I'm sure.
The point is OS X users think they are invulnerable and are using some sort of 'super' computer. The truth is with a 3% market share (what 4% maybe?) who cares about them. As a hacker I would attack the two most common machines on the internet. Windows and Linux.
I would primarily hack linux hosting boxes considering they are more likely to have high-speed connections and not slow ass cable or DSL connections. They will reside online 24/7 and never be restarted.
I also know that the term "Root Kit" doesn't come from gaining "Administrative" privileges on a Windows computer - considering 'root' doesn't even exist on the O/S.
Also to give people an idea of how well this mac exploit would work:
1. Setup fake links
2. Tail your Apache log file
3. Telnet to any machine that has clicked your farm of links.
4. Execute code freely.
That sounds even easier then forcing someone to download and install a peice of shitty shareware filled with spyware.
-
This post has been deleted by its author
-
Friday 28th March 2008 12:53 GMT Damien Jorgensen
FFS Mac Fan boys shut the f**k up
you go on and on and on
and yet when dear old bill gates beats you (its happended before lol) you cant take it.
OSX this day is more insecure than Windows and Linux.
Its not hard to get your head around.
For all that c**P about picking OSX becuase he wanted the mac or something, for god sake hed get $10k no matter which machine he get into.
And if I wanted to win, I'd pick the easiest box to break!
Morons
-
-
Friday 28th March 2008 13:15 GMT WhatWasThat?
Sorry, have to do this...
But having a user click on a link to a web site is hacking? From the original article, I was under the impression that these three laptops were sitting there - with no user intervention - and the attacker walks up to the table, connects with a patch cord, and has to come up with an attack RIGHT THEN AND THERE. What gives?
I suppose if the generic definition of (computer software/OS) hacking is deemed to be "gaining unauthorized access or perimssions within an OS through a flaw in the OS or a process running within it", then this would meet the definition.... but geesh. I was expecting something better than "exploiting" a user's idiocy. I mean, what's the challenge?
Secondly...
@ Ian Davies:
"Claims that I would at just as much risk if there were as many Macs and PCs is meaningless drivel, when that is patently not the reality in which we live."... "it cannot be denied that its level of actively exploited security flaws DOES NOT correlate to its market share. THIS MAY WELL CHANGE IN THE FUTURE." [Emphasis added]
I appreciate your attempt at a balanced argument, but you wipe away that the credibility for the basis for your own argument at the end, there. At no time before has such connectivity been applied to so many computers running an OS with MS' market share. There is simply no logical or historical comparison of any kind for any data to make a logical assertion.
Any and all arguments based on market share as a factor of "exploitability" or security have no way of comparing any two (or more) flavors of OS with any validity, though it does provide an intellectual "thumb and blankie" to all advocated (both for and against) so they sleep better at night.
-
Friday 28th March 2008 13:17 GMT Anonymous Coward
Halloooo!!!
..In the interest of good journalism.
Are we sure that ANY kind of code was executed on the Mac?
I smell a rat here and not because I am any Mac Fan but because my idea on how telnet works would have to change radically.
Has anyone gone looking what this exploit actually does?
As I mentioned before: by looking at the specific exploit it does not seem to open any possibility to execute any code on the Mac itself.
I am still not convinced. Anybody?
Mabuse68
-
Friday 28th March 2008 13:17 GMT Edward Rose
Secure?
@Paul Buxton - What? Out of all the idiots here, you're the best ...
I'm a Gentoo user, I don't think it's perfectly secure. And unless you are quite delusional I don't think many Linux users believe that. Just MORE secure (even if it is just due to less people trying). Okay, most confess I don't run a S/W firewall, I don't use any mainstream desktop so I couldn't find an easy way of setting one up in the past. It does seem to be a failing of many *nix packages. It only works with this major desktop, or that one. How about starting generic and then polishing?
The biggest issue isn't with what bugs are found, it is how long it takes for the exploit to be stopped. Unfound bugs aren't a problem, bugs found and patched in a couple of days are a very little problem, bugs left open for a long time are near criminal. The average user? Well, the OSs own security issues pale in comparisson.
-
Friday 28th March 2008 13:55 GMT Simon Greenwood
And let's not forget
Webster is a *Linux* fanboi, it's admitted it itself, and I can assure you that there are *bigger* holes in Linux coming and they will be exposed as Linux gains popularity as a desktop through the growth of Ubuntu. I can see it happening now: I'm trying to build a couple of non-standard systems for specific purposes using Ubuntu and the problems that I'm having are being responded to by people who really don't know what they're talking about and on one occasion actually almost disabled a machine because the piece of software I was using, which is in the standard Ubuntu distribution, started producing logs that got to 32Gb in size by the time I worked out how to stop them.
Don't get me wrong: I love the freedom and innovation of FOSS, and I'm shortly going to be equipping a Dell XP1330 with Ubuntu for use as my business laptop because as much as I equally love OS X's usability it's getting too proprietary for my liking, and turning 'just works, with the power of Unix under the hood' to 'just works, with the power of the bits of Unix that we want you to use under the hood'. The only piece of OS X software that I would miss in every day use is Unison, and I'm working on that. However, the rushing featurism that seems to be a result of Ubuntu's growing feature set seems to be making things less stable and secure as opposed improving stability and security. This is my personal feeling after being a Linux user for 15 years or so and an enterprise Solaris engineer for 12 so don't call me on it, by the way. I also believe that Iif and when Linux crosses that magical line of having a measurable percentage of desktop users, it too will have to make enough concessions to usability to make it more open to security breaches.
When I get home tonight and boot my laptop there will be some updates to download as it's been switched off for a week. It's reassuring that problems are discovered and responded to quickly of course, but to suggest in any way that half of the issues aren't buffer overruns and the like that *could* become security problems would be deluding yourself. A brief trawl through the CERT lists would confirm this.
Oh... and by the way, if the exploit was through Safari, then it was mostly likely through Webkit, which is of course an open source project, running on an operating system which does, after all, share the same codebase for about 80% of it's functionality as, cor blimey, *BSD, which is also a number of FOSS projects. What exactly were we railing against, again?
-
Friday 28th March 2008 13:59 GMT Robert Hill
Not really a Safari issue?
I first thought this was a damning indictment of Safari, a non-battlehardened browser, then I realized that the ability to reverse telenet into a PC wasn't browser-based, but OS-based.
OUCH!
So OS X allows remote telenets from TCP-IP sessions it has established without further verification of the other party, eh? No additional log-ins needed?
That is a gaping hole, a whole lot of hole, if that is truely the case.
Bad flaw Apple...very bad flaw.
-
Friday 28th March 2008 13:59 GMT Anonymous Coward
Apple Fan-bois disappear up own Arse first
I can't believe the apple fan-bois trying to defend an indefensible position here. Your machine got hacked first and the reason given is "that its more desirable". Bullshit. Your machine got hacked first because it was the easiest to hack. Apple is worse than Microsoft at patching security problems, and Microsoft isn't what you would call good. Linux is full of security holes - I've seen friends who are top notch Linux experts still get their servers rooted. All Mac-OSX is is a crippled and badly patched version of Linux, so no surprise they got rooted first.
Of course, I'm expecting the fan-bois to come on and argue vehemently that black is white. Sorry to burst your bubble, but Apples are nothing more than crippleware on expensive hardware. The expensive hardware helps a little with stability, but the software certainly doesn't.
Get a life and stop blindly worshipping at the temple of jobs.
-
Friday 28th March 2008 14:31 GMT John W. Naylor, Jr., P.E.
Er....Wrong Target
Hello ! With all the attacks on the Mac OS, did no one perhaps notice that the OS was not cracked ? Criticize Apple if you will, they deserve it, for leaving the hole in Safari but if you bother to read the article, none of the machines were cracked on Day 1, the day that the rules said you have to crack the OS. None of the OS's were cracked.
Now Windows users might not realize this since MS demanded to integrate it with the OS, but a browser is not part of an OS, it's an application ! If ya gonna rant, rant at the right target.
From the reporting side, I would have loved to know:
a) what happens is Safari is installed on Windows ?
b) what happens if both OS's are set at the same security level (both firewall's on or both off) ?
-
Friday 28th March 2008 14:31 GMT Paul Buxton
@Edward Rose
"I'm a Gentoo user, I don't think it's perfectly secure. And unless you are quite delusional I don't think many Linux users believe that."
How could my rationality (or delusion if you prefer) influence your opinion on what Linux users think?
Re-read your sentence and then decide who's the biggest idiot. And when you actually learn how to string a coherent sentence together then, by all means, feel free to post back here to apologise.
We already have Mac fanbois claiming all sorts of things to try to dilute the results (but they've already had their kick in the teeth so that's understandable). This is another reason I hope that the Windows box outlasts the Linux box - I'd just love to hear your excuses on how the test was flawed Edward.
-
Friday 28th March 2008 14:39 GMT Simon Greenwood
re: Not really a Safari issue?
Any running daemon can be telnetted to and will probably return some kind of response, and *something* probably has a stack overflow issue that has been exploited in this case, although I strongly doubt that it's telnet itself. The bigger concern is probably that something that creates an open port that can be exploited can be launched by clicking on a link in Safari - if that is a reasonable analysis of the exploit.
-
Friday 28th March 2008 14:39 GMT Ian Davies
@WhatWasThat?
"There is simply no logical or historical comparison of any kind for any data to make a logical assertion."
Where did I make any assertion as to the relevance of historical activity? The only phrases I used were "right here, right now" and "in the future". Also, why does a lack of historical data automatically preclude a logical evaluation of the current situation?
Your points only strengthen the argument I was making, not weaken it. So what if there have never been so many Windows machines connected to the 'net as there are now? Should a platform's relative security still not be reflected proportionally in the number of active exploits on that platform? Because that is not the case.
Yes, I can think of many reasons *why* that might not the case, and no, I'm not saying that all of those reasons are related to OS X's theoretically greater inherent security. But none of that detracts from the simple premise that for the majority of people, their experience = their reality. My reality is that I am using a platform that has zero in-the-wild viruses (yes, I still run ClamX AV) and has almost no security holes that can be exploited without me doing something stupid like clicking links on an untrusted website, or downloading (and executing) applications from an untrusted source.
-
Friday 28th March 2008 15:52 GMT Vernon Lloyd
Will some of you listen to yourselves
Bickering over which OS is better.......they are simply a means to an end.
Which ones better.....the one I can support which gives me the biggest wage packet.
Remember this 'Without problems you would not need solutions'. This can be translated to 'Without broken OS's and PEBKACs issues I and many more people would be unemployed'
PEBKAC = Problem Exists Between Keyboard and Chair
Paris cause I would like to give her a good crack
-
Friday 28th March 2008 16:10 GMT Gulfie
@Damien Jorgensen
Any computer, regardless of OS, is as secure as the user/administrator makes it. Given the time I'm sure a regular Windows/OSX/Linux admin could make their chosen OS installation as secure as admins of either of the other two could do.
FFS lighten up, I use all three OSs regularly (albeit mainly Windows XP, not Vista, and OSX) and they all have their merits and flaws, they all have their place, this simply demonstrates that the default configuration of the Mac is dumb. Apple should use this wake-up call to harden up the default configuration somewhat.
POETS day - I'mm off now, hence the jacket.
-
Friday 28th March 2008 16:10 GMT 'Mash
This is why I use a pad of paper, pen and a sturdy briefcase
I do all my work with a pen on a pad of paper and then put all my notes in my briefcase which I carry in my hand. Sometimes when I feel a little nervous I attach a handcuff to my wrist and the other to the briefcase handle.
Oh and that intonet thing, I go to the library instead.
It's the safer way.
-
Friday 28th March 2008 16:10 GMT J
Hm...
I don't like OS X, don't care for Macs. Disclaimer done. But...
Very few seem to have read the article with care (and all I can go by is what's in the article, so this might be wrong), judging by the very few comments mentioning that:
*No OS was cracked in the first day.*
What is the logical conclusion from that? To me, it seems like: **even without a firewall** OS X still did not get broken into. The other two didn't either, of course, but they had an extra layer of security.
So, all three OSs withstood a day of attack. Applications, that's a whole other world. So it seems like Safari sucks mightily, that's the only thing we can say for certain here.
-
Friday 28th March 2008 16:40 GMT Anonymous Coward
@ J
Quote from article:
[Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack.]
...and again, incase you missed it:
[Not a single attendee entered the contest on day one...]
...then, just once more for luck:
[Not a single attendee...]
So, who did you say hasn't read the article with care?
-
Friday 28th March 2008 16:48 GMT Daniel B.
OSX v Linux v Windoze v whatever
Ah, reading this thread is amusing: First I read this:
"All Mac-OSX is is a crippled and badly patched version of Linux, so no surprise they got rooted first."
and then someone points out the obvious:
"OSX is NOT Linux based! It is *BSD based. A mutilated, crippled BSD, but BSD nonetheless."
Funny thing being that OSX amongst the average joe is seen as "Linux with a pretty UI", as the *BSD's are not known beyond the IT spheres of influence.
IIRC, there are a lot of rabid *BSD fans out there, maybe that attitude permeated to the Mac crowd with OSX? .... no, that would discredit Jobs' reality distortion field ;) Not that the *BSD's don't have a Jobs-like poster, just search for the "Linux is a half-assed patched-up hack job" article from one of the *BSD folks.
-
Friday 28th March 2008 17:29 GMT Matthew
How often does clicking a link in IE bring down your PC?
If the MS box didn't have any 3rd party virus/security apps then it would get owned pretty quick.
Safari wouldn't have been running as root so you shouldn't be able to pwn the OS.
If folk don't know how to use a FW then it's their own problem if something happens.
Still I run Firefox and this problem will be fixed so until I hear otherwise I'm not concerned. It's hardly going to make me sell my white box and buy a grey/silver one.
-
Friday 28th March 2008 17:29 GMT Simon Day
@Edward Rose
You don't run a software firewall, because you couldn't find a generic one?
Have you perhaps heard of IPTABLES?
Its part of your linux kernel - high configurable, good performance and with the right settings very secure.
Ok if you have a complicated setup it may take you a day to learn how to use it properly, but then network skills are useful especially if you work in IT.
There are hundreds of pre written scripts that will run basic firewalls for you, usually with a couple of insert here variables at the top.
Anyone not capable of using those should be allowed to connect a PC to a network, regardless of the OS.
The type of exploit use on OSX really goes to prove this.
Even assuming that the telnet session connected into the mac and had root privileges, it still required a user to click on a link without having verified it, and not having their machine behind a firewall. Both of these are user errors, admittedly compounded by what the browser allowed to happen (a very IE5 level of stupidity)
Oh and someone above suggested that root kits were named so because they exploit unix not windows more... that is true as far as it goes - but the reason as that these root kits were around before windows was available!
I'd rather see this competition rerun, but with the specification quite different: each box to be set up to run a specified collection of services and security hardened by an experienced admin, only its own inbuilt firewall, or 3rd party firewall running on the box to be allowed - no external hardware.
The boxes should then be scored on:
Performance/Cost (including admin time to set up - we assume ongoing time is minimal for any competent admin)
Do all services function as specified
How long to hack each box:
via a patch cable on day 1,
Local terminal day 2
Allow access to bios enabled usb ports and CD drive day 3 (no access to boot order, boot from usb/cd, or case internals - any child can hack a box with that level of access)
-
Friday 28th March 2008 17:29 GMT Tom Turck
Macpwn'd
This was inevitable. Apple has been stumbling in the dark for 10-15 years in the OS/Desktop/laptop dept. Apple should focus on iTunes and the iPhone. The current "macs" are pc's with a port of BSD ho-hum.
Microsoft owns it is the least secure OS of the bunch and makes an effort to correct it. Its for sure a lot more Windoze will get hacked, only beacasue there are so many more windoze systems compared to Macs and MacTards....
-
Friday 28th March 2008 17:53 GMT Neil Alexander
So, uh
The competition is made up of three computers that are as close to factory defaults as possible? Doesn't anyone realise that a very large percentage of security holes on computers come from software that users voluntarily install?
http://www.theregister.co.uk/2008/03/27/buggy_flash_menace/
http://www.theregister.co.uk/2008/03/12/march_patch_tuesday/
http://www.theregister.co.uk/2008/02/25/vmware_critical_vuln/
http://www.channelregister.co.uk/2008/03/27/firefox_security_flaws_update/
http://www.theregister.co.uk/2008/02/11/adobe_reader_exploit/
And in my opinion, even with computers that are at factory default, having a user click a link doesn't really count as hacking per-se. Let's face it; the typical person is going to be connected through one of:
1) wireless networks with no port forwarding by default;
2) other routed networks with no port forwarding by default;
3) GPRS/EDGE/3G/HSDPA networks with no port forwarding by default;
4) a firewall.
In this case, what does it matter if a port is opened here or there? There aren't really that many standard modems in use anymore where you are completely externally exposed, and if you are stupid enough to be using one without a firewall, or if you are stupid enough to permanently have your router/gateway set to DMZ, you are asking for trouble. If you are stupid enough to allow a hacker onto your LAN, ...
If a hacking competition is based on the idea that someone is going to have to physically walk up to your computer and stick a crossover cable in the side of it to do any real harm, then the competition is sorta flawed. In that case, I would be more concerned about someone breaking into my house rather than "hacking" my computer.
Similarly, a competition where people have had the time to orchestrate their attack and just execute it when they get there is equally flawed.
I'm a Mac user day-to-day. I don't believe that the system is completely secure, which is why I keep my firewall up, regularly install updates and security patches and don't set myself up for trouble. At the same time, I don't expect everything I install to be completely secure. I have had previous Windows computers that have been infected with viruses before my first logon after a fresh reformat and reinstall (just by being connected to a LAN during setup). But at the same time, I've also had Windows installs in the past that have been flawless for as long as they have been in use. Computers are inherently insecure, regardless of your operating system.
Okay, yeah. So the MacBook got beaten first, and now this has happened, the playing field is leveled a bit. The moral of the story is "use your firewall, install your updates and don't click links you don't trust". Now will the Windows or anti-Mac zealots please stop with the "take this, fanboys!" attitude? Your operating system is not perfect either, yet I do not waste my time bashing your system. Get back to me when it is and then I might be less tempted to gouge out your eyes with a screwdriver.
It seems the word "hacking" is vastly misunderstood these days.
This topic is closed for new posts.
Biting the hand that feeds IT
